Windows Analysis Report
invoice & packing list.exe

Overview

General Information

Sample name:	invoice & packing list.exe
Analysis ID:	1427730
MD5:	e9de39ce29b4e19d9487d6517f5fe390
SHA1:	aa9300231e426c9d0cbffe0bcf36f047235e79a6
SHA256:	24390949599e57a802ea820e402befca0610937e51e19a4db8228235d0017a58
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: invoice & packing list.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: invoice & packing list.exe

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Source: invoice & packing list.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: invoice & packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: invoice & packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 162.241.123.30:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.241.123.30 162.241.123.30
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 162.241.123.30:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.techwiser.in
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001157000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001191000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873691975.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001157000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001191000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873691975.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: invoice & packing list.exe, 00000000.00000002.1689367239.0000000006B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001157000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2879639896.0000000006845000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001157000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2879639896.0000000006845000.00000004.00000020.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2873127457.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: invoice & packing list.exe, 00000000.00000002.1686242139.00000000036B3000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2872129268.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: invoice & packing list.exe, 00000000.00000002.1686242139.00000000036B3000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2874078879.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, invoice & packing list.exe, 00000002.00000002.2872129268.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: invoice & packing list.exe, 00000002.00000002.2874078879.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, oAKy.cs

.Net Code: xXlophBw8

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.invoice & packing list.exe.36edbe0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.invoice & packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.invoice & packing list.exe.36b31c0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.invoice & packing list.exe.36b31c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: invoice & packing list.exe, App.cs	Large array initialization: : array initializer size 627791
Source: 0.2.invoice & packing list.exe.6f30000.6.raw.unpack, SQL.cs	Large array initialization: : array initializer size 33608
Source: 0.2.invoice & packing list.exe.2690d84.0.raw.unpack, SQL.cs	Large array initialization: : array initializer size 33608

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: invoice & packing list.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB43A0	0_2_06FB43A0
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB4088	0_2_06FB4088
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0040	0_2_06FB0040
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0EF0	0_2_06FB0EF0
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB6560	0_2_06FB6560
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB654F	0_2_06FB654F
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB326C	0_2_06FB326C
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB3240	0_2_06FB3240
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB4390	0_2_06FB4390
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FBF338	0_2_06FBF338
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FBF328	0_2_06FBF328
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB4079	0_2_06FB4079
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB001E	0_2_06FB001E
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB3008	0_2_06FB3008
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FBEEF0	0_2_06FBEEF0
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0EB9	0_2_06FB0EB9
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB2FF8	0_2_06FB2FF8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB2C98	0_2_06FB2C98
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB2C88	0_2_06FB2C88
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB1DE0	0_2_06FB1DE0
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB1DD0	0_2_06FB1DD0
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010EE6D0	2_2_010EE6D0
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010ED9D8	2_2_010ED9D8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010E4A98	2_2_010E4A98
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010E3E80	2_2_010E3E80
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010E41C8	2_2_010E41C8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010EA958	2_2_010EA958
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06ACA068	2_2_06ACA068
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD5570	2_2_06AD5570
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06ADB299	2_2_06ADB299
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD3028	2_2_06AD3028
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06ADC148	2_2_06ADC148
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD7D40	2_2_06AD7D40
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD7660	2_2_06AD7660
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06ADE360	2_2_06ADE360
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD0040	2_2_06AD0040
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD5CAF	2_2_06AD5CAF
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06AD0006	2_2_06AD0006

Sample file is different than original file name gathered from version info

Source: invoice & packing list.exe, 00000000.00000002.1684734948.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000000.00000002.1686242139.0000000004026000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000000.00000002.1685787944.00000000026AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename28519625-fb4c-40d0-af15-66ea2f96c830.exe4 vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000000.00000002.1686242139.00000000036B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename28519625-fb4c-40d0-af15-66ea2f96c830.exe4 vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000000.00000002.1689959978.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000000.00000002.1685787944.000000000266D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000000.00000002.1690928922.000000000AD10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000002.00000002.2872402277.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs invoice & packing list.exe
Source: invoice & packing list.exe, 00000002.00000002.2872129268.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename28519625-fb4c-40d0-af15-66ea2f96c830.exe4 vs invoice & packing list.exe
Source: invoice & packing list.exe	Binary or memory string: OriginalFilenameGGDk.exe< vs invoice & packing list.exe

Uses 32bit PE files

Source: invoice & packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.invoice & packing list.exe.36edbe0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.invoice & packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.invoice & packing list.exe.36b31c0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.invoice & packing list.exe.36b31c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: invoice & packing list.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, ekKu0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, vKf1z6NvS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, ZNAvlD7qmXc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, U2doU2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, BgffYko.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, HrTdA63.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, boeN8EZugYfTRxOApL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, boeN8EZugYfTRxOApL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, boeN8EZugYfTRxOApL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, IsmbWLLylsNbQBJICW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, boeN8EZugYfTRxOApL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, boeN8EZugYfTRxOApL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, boeN8EZugYfTRxOApL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, IsmbWLLylsNbQBJICW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\invoice & packing list.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice & packing list.exe.log

Source: C:\Users\user\Desktop\invoice & packing list.exe	Mutant created: \Sessions\1\BaseNamedObjects\oOQVhVfletgHpIzCI
Source: C:\Users\user\Desktop\invoice & packing list.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\invoice & packing list.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\invoice & packing list.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing list.exe "C:\Users\user\Desktop\invoice & packing list.exe"
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process created: C:\Users\user\Desktop\invoice & packing list.exe "C:\Users\user\Desktop\invoice & packing list.exe"
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process created: C:\Users\user\Desktop\invoice & packing list.exe "C:\Users\user\Desktop\invoice & packing list.exe"	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Section loaded: wintypes.dll	Jump to behavior

Source: invoice & packing list.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, boeN8EZugYfTRxOApL.cs	.Net Code: AMv9OyRGrP System.Reflection.Assembly.Load(byte[])
Source: 0.2.invoice & packing list.exe.6f30000.6.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.invoice & packing list.exe.2690d84.0.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, boeN8EZugYfTRxOApL.cs	.Net Code: AMv9OyRGrP System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_024E336C push 9C00005Fh; iretd	0_2_024E3419
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_024E3445 push F000005Fh; iretd	0_2_024E34C9
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_024E3415 pushfd ; iretd	0_2_024E3419
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_024E3EF7 push ebp; ret	0_2_024E3EF8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0E9A push es; retf	0_2_06FB0EB8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0E69 push es; retf	0_2_06FB0EB8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0E00 push es; retf	0_2_06FB0E68
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0E00 push es; retf	0_2_06FB0EB8
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB0947 pushad ; retf	0_2_06FB0948
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 0_2_06FB093D pushad ; retf	0_2_06FB093E
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010E0B4D push edi; ret	2_2_010E0CC2
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_010E0C95 push edi; retf	2_2_010E0C3A
Source: C:\Users\user\Desktop\invoice & packing list.exe	Code function: 2_2_06ACFCBC push es; retf	2_2_06ACFCC8

Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, x6benKwwZ9OwZYvEPhn.cs	High entropy of concatenated method names: 'ToString', 'VSP3618CtA', 'xeh39qOQIy', 'xHq3sxK7ey', 'QKn3AgOVGb', 'V5a3Qjwcky', 'hBv3YcnJih', 'R343HW93pw', 'FnLW62HuhEV7M8yQfVG', 'Yrdk1oH22RnKmcAtAOV'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, NHwoM1feufwrIp88B7.cs	High entropy of concatenated method names: 'TjaHK8nL6T', 'k6wH7cfYmb', 'dSYYI47qIx', 'QbhYiMyCfP', 'xnMYdFZPI7', 'DlrYjQHgjP', 'go3YL71jjB', 'AhYYSKQxyt', 't1NYZFw4UN', 'UKpYhbXrOj'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, VJT7qa0GcUv7HvpF5g.cs	High entropy of concatenated method names: 's82k01XjC8', 'xk7kMWDN2a', 'MVLkOSmlmX', 'Kqmk1jXlMq', 'DjokKHi0ah', 'UHrkpJiWlf', 'DfVk730jki', 'MWDkrkKROV', 'yMckbyMxh3', 'allkg8P9HJ'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, aY32ngbTNeQthivMBh.cs	High entropy of concatenated method names: 'ToString', 'B5wUwkIEKn', 'ICEU8y1pp5', 'zGQUIdi6Yk', 'bCSUi1oDLS', 'RtEUdTIPJM', 'SsjUjYQg99', 'tpTULwdGGI', 'u3fUS3c3UV', 'oJpUZWE20I'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, bjS7XK30X9MGr4KoTc.cs	High entropy of concatenated method names: 'D2BWkSxUkq', 'sGoWqRGJ4v', 'pleW2BRIQj', 'R4BWml4h3L', 'QNWWDA9wS8', 'ANxWU8iRhX', 'JkQSGOtnKHu1nTjyZD', 'MRPl3WxGhfE0PhYE6K', 'feuWWnVAA1', 'QNrW65oNTm'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, jHYnMeOpB2i33fdhPK.cs	High entropy of concatenated method names: 'JtEY1AF6UQ', 'WQLYptfsXH', 'EXpYrDr5SO', 'WWMYbDOv7X', 'G1kYDOQcKe', 'VooYUMxsjU', 'n0hYyBIe6W', 'KFUYug5OLA', 'jMdYEmKQqd', 'S3eY3kRGII'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, Td6Ro8Ni3RtXwCuSkU.cs	High entropy of concatenated method names: 'AJmy2C0JKc', 'UKxymGnbN1', 'ToString', 'KdLyAJpH35', 'eaayQtiCTv', 'jIpyY9g5gd', 'hqtyHKZuRI', 'XRXyG5JZxS', 'xITykNIGjh', 'Crqyq5svsj'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, boeN8EZugYfTRxOApL.cs	High entropy of concatenated method names: 'PP36s8YSCR', 'XBX6A0ctCl', 'XI26Q5YSad', 'HsA6YVSQNw', 'gVs6H0VDmC', 'KTp6G4vIdO', 'TvV6kQnO5F', 'c166q4Zled', 'R9d6nQ7qwA', 'U7t62ikyau'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, zM27DOwKFXHJLIf69Xf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T8X3fLxdIs', 'F7n3a6aZ7B', 'DLW3VuEG3b', 'ewr3cKfNMy', 'Tgs3BiM6nJ', 'xRY3XBSgHc', 'WKv3NlLNRe'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, JPAuFR60HCnWvWaABo.cs	High entropy of concatenated method names: 'evZuAns7vC', 'Un8uQQZU7g', 'EiJuY36GOy', 'uINuHJyY3A', 'SK9uGWZMuM', 'il7ukYIO6I', 'rAVuqkwi2r', 'TQbunOkVHV', 'rgtu2jqurm', 'pdDum795lD'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, RoTI2YwtT6lNXfg1pmy.cs	High entropy of concatenated method names: 'hB8E0qBN8j', 'vhbEM3VPqb', 'wEdEONQ9BO', 'XZ2E1KU3DL', 'QCCEKeUVjj', 'jpkEpyZIQd', 'e5oE77TpGj', 'M1SErlDX76', 'QtpEbWv7el', 'y63EgHZvHB'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, pBUQqE1OKEYDSahrfn.cs	High entropy of concatenated method names: 'rKQEWweWEX', 'oLYE62bB6T', 'Rf3E9Fgk4r', 'hc5EAqlUXg', 'ydtEQeNFIK', 'R0TEHV88Gd', 'DAZEGcwi2V', 'qjVuN8FdtA', 'cyMu45QHPu', 'D2FuPfGOBX'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, NilmEEE0CH8Q7vyWme.cs	High entropy of concatenated method names: 'wKIuTu0RNE', 'kInu8fW2JI', 'hrquIgbww2', 'T3Qui585nc', 'hC0ufw6Ojk', 'N0sud33a3Y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, T9YxjoU0gsyH6XRSVo.cs	High entropy of concatenated method names: 'vCBtrZw2vF', 'PXntb963d0', 'ofYtTiplwu', 'zXTt8ks425', 'a2dtiGF7jU', 'PQItdMinaG', 'Q8qtLEwr4J', 'XZVtSUe3Ki', 'L5MthJexUV', 'O17twxIF2F'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, aNy1cxcPoNsKYhTvd2.cs	High entropy of concatenated method names: 'WOWO967wR', 'Aic14bKHY', 'NsLpwBq0p', 'FN77d83oE', 'syTbZIAUR', 'ieDgU1B0x', 'xV3xN9GFbAgaMFBLSr', 'iLLIGZaGfe2eGAjW68', 'VF0udco3J', 'XwN3EsMqd'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, wDdWn8PJtKvMPM9vfi.cs	High entropy of concatenated method names: 'dy2Gs38uj9', 'l9ZGQlYVh6', 'HWDGH9fYl0', 'I43GkA116F', 'WstGq3k1Mv', 'auMHBwk8NX', 'EZiHXO5owM', 'QDFHNgoiFU', 'dgbH4EXpEo', 'uFnHPLNqLh'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, IsmbWLLylsNbQBJICW.cs	High entropy of concatenated method names: 'Lb4Qfsf5pH', 'AdIQa7AiVe', 'CbjQV2Iu3q', 'BIsQcCUQBD', 'dq2QB2sxPX', 'UBnQXVc8wP', 'jHYQNwDBYf', 'cm0Q4kEFHq', 'k9LQPuvq2y', 'neBQ5qRlZT'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, qjLOrWra3YQuKSIDmX.cs	High entropy of concatenated method names: 'Dispose', 'CgfWP3kEYE', 'EkOC8uSJKp', 'NhOvvfL6F8', 'MWvW5UAuWL', 'TCtWztLLyV', 'ProcessDialogKey', 'IUvCRu4VOd', 'nCHCWrjQS4', 'fVpCCPUgyW'
Source: 0.2.invoice & packing list.exe.ad10000.9.raw.unpack, a3SImVRQIFAnlduMwN.cs	High entropy of concatenated method names: 'ftry4m9djd', 'fu5y5RNfOd', 'J8guR3DhKx', 'zHHuWeHSjW', 'zYFywBOO42', 'rAcyeyX2Wm', 'tuEyoYpQwm', 'NRLyfREgu8', 'JgvyaUps9J', 'YdAyVbv0GA'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, x6benKwwZ9OwZYvEPhn.cs	High entropy of concatenated method names: 'ToString', 'VSP3618CtA', 'xeh39qOQIy', 'xHq3sxK7ey', 'QKn3AgOVGb', 'V5a3Qjwcky', 'hBv3YcnJih', 'R343HW93pw', 'FnLW62HuhEV7M8yQfVG', 'Yrdk1oH22RnKmcAtAOV'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, NHwoM1feufwrIp88B7.cs	High entropy of concatenated method names: 'TjaHK8nL6T', 'k6wH7cfYmb', 'dSYYI47qIx', 'QbhYiMyCfP', 'xnMYdFZPI7', 'DlrYjQHgjP', 'go3YL71jjB', 'AhYYSKQxyt', 't1NYZFw4UN', 'UKpYhbXrOj'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, VJT7qa0GcUv7HvpF5g.cs	High entropy of concatenated method names: 's82k01XjC8', 'xk7kMWDN2a', 'MVLkOSmlmX', 'Kqmk1jXlMq', 'DjokKHi0ah', 'UHrkpJiWlf', 'DfVk730jki', 'MWDkrkKROV', 'yMckbyMxh3', 'allkg8P9HJ'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, aY32ngbTNeQthivMBh.cs	High entropy of concatenated method names: 'ToString', 'B5wUwkIEKn', 'ICEU8y1pp5', 'zGQUIdi6Yk', 'bCSUi1oDLS', 'RtEUdTIPJM', 'SsjUjYQg99', 'tpTULwdGGI', 'u3fUS3c3UV', 'oJpUZWE20I'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, bjS7XK30X9MGr4KoTc.cs	High entropy of concatenated method names: 'D2BWkSxUkq', 'sGoWqRGJ4v', 'pleW2BRIQj', 'R4BWml4h3L', 'QNWWDA9wS8', 'ANxWU8iRhX', 'JkQSGOtnKHu1nTjyZD', 'MRPl3WxGhfE0PhYE6K', 'feuWWnVAA1', 'QNrW65oNTm'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, jHYnMeOpB2i33fdhPK.cs	High entropy of concatenated method names: 'JtEY1AF6UQ', 'WQLYptfsXH', 'EXpYrDr5SO', 'WWMYbDOv7X', 'G1kYDOQcKe', 'VooYUMxsjU', 'n0hYyBIe6W', 'KFUYug5OLA', 'jMdYEmKQqd', 'S3eY3kRGII'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, Td6Ro8Ni3RtXwCuSkU.cs	High entropy of concatenated method names: 'AJmy2C0JKc', 'UKxymGnbN1', 'ToString', 'KdLyAJpH35', 'eaayQtiCTv', 'jIpyY9g5gd', 'hqtyHKZuRI', 'XRXyG5JZxS', 'xITykNIGjh', 'Crqyq5svsj'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, boeN8EZugYfTRxOApL.cs	High entropy of concatenated method names: 'PP36s8YSCR', 'XBX6A0ctCl', 'XI26Q5YSad', 'HsA6YVSQNw', 'gVs6H0VDmC', 'KTp6G4vIdO', 'TvV6kQnO5F', 'c166q4Zled', 'R9d6nQ7qwA', 'U7t62ikyau'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, zM27DOwKFXHJLIf69Xf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T8X3fLxdIs', 'F7n3a6aZ7B', 'DLW3VuEG3b', 'ewr3cKfNMy', 'Tgs3BiM6nJ', 'xRY3XBSgHc', 'WKv3NlLNRe'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, JPAuFR60HCnWvWaABo.cs	High entropy of concatenated method names: 'evZuAns7vC', 'Un8uQQZU7g', 'EiJuY36GOy', 'uINuHJyY3A', 'SK9uGWZMuM', 'il7ukYIO6I', 'rAVuqkwi2r', 'TQbunOkVHV', 'rgtu2jqurm', 'pdDum795lD'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, RoTI2YwtT6lNXfg1pmy.cs	High entropy of concatenated method names: 'hB8E0qBN8j', 'vhbEM3VPqb', 'wEdEONQ9BO', 'XZ2E1KU3DL', 'QCCEKeUVjj', 'jpkEpyZIQd', 'e5oE77TpGj', 'M1SErlDX76', 'QtpEbWv7el', 'y63EgHZvHB'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, pBUQqE1OKEYDSahrfn.cs	High entropy of concatenated method names: 'rKQEWweWEX', 'oLYE62bB6T', 'Rf3E9Fgk4r', 'hc5EAqlUXg', 'ydtEQeNFIK', 'R0TEHV88Gd', 'DAZEGcwi2V', 'qjVuN8FdtA', 'cyMu45QHPu', 'D2FuPfGOBX'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, NilmEEE0CH8Q7vyWme.cs	High entropy of concatenated method names: 'wKIuTu0RNE', 'kInu8fW2JI', 'hrquIgbww2', 'T3Qui585nc', 'hC0ufw6Ojk', 'N0sud33a3Y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, T9YxjoU0gsyH6XRSVo.cs	High entropy of concatenated method names: 'vCBtrZw2vF', 'PXntb963d0', 'ofYtTiplwu', 'zXTt8ks425', 'a2dtiGF7jU', 'PQItdMinaG', 'Q8qtLEwr4J', 'XZVtSUe3Ki', 'L5MthJexUV', 'O17twxIF2F'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, aNy1cxcPoNsKYhTvd2.cs	High entropy of concatenated method names: 'WOWO967wR', 'Aic14bKHY', 'NsLpwBq0p', 'FN77d83oE', 'syTbZIAUR', 'ieDgU1B0x', 'xV3xN9GFbAgaMFBLSr', 'iLLIGZaGfe2eGAjW68', 'VF0udco3J', 'XwN3EsMqd'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, wDdWn8PJtKvMPM9vfi.cs	High entropy of concatenated method names: 'dy2Gs38uj9', 'l9ZGQlYVh6', 'HWDGH9fYl0', 'I43GkA116F', 'WstGq3k1Mv', 'auMHBwk8NX', 'EZiHXO5owM', 'QDFHNgoiFU', 'dgbH4EXpEo', 'uFnHPLNqLh'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, IsmbWLLylsNbQBJICW.cs	High entropy of concatenated method names: 'Lb4Qfsf5pH', 'AdIQa7AiVe', 'CbjQV2Iu3q', 'BIsQcCUQBD', 'dq2QB2sxPX', 'UBnQXVc8wP', 'jHYQNwDBYf', 'cm0Q4kEFHq', 'k9LQPuvq2y', 'neBQ5qRlZT'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, qjLOrWra3YQuKSIDmX.cs	High entropy of concatenated method names: 'Dispose', 'CgfWP3kEYE', 'EkOC8uSJKp', 'NhOvvfL6F8', 'MWvW5UAuWL', 'TCtWztLLyV', 'ProcessDialogKey', 'IUvCRu4VOd', 'nCHCWrjQS4', 'fVpCCPUgyW'
Source: 0.2.invoice & packing list.exe.422c0a0.4.raw.unpack, a3SImVRQIFAnlduMwN.cs	High entropy of concatenated method names: 'ftry4m9djd', 'fu5y5RNfOd', 'J8guR3DhKx', 'zHHuWeHSjW', 'zYFywBOO42', 'rAcyeyX2Wm', 'tuEyoYpQwm', 'NRLyfREgu8', 'JgvyaUps9J', 'YdAyVbv0GA'

Source: C:\Users\user\Desktop\invoice & packing list.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 4640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 8770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 7100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 9770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: A770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: AD90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 8770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 2C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Memory allocated: 4C40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe	Window / User API: threadDelayed 1125			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Window / User API: threadDelayed 4351			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 6568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7276	Thread sleep count: 1125 > 30	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7276	Thread sleep count: 4351 > 30	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99116s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98769s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -98091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97216s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing list.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	Process token adjusted: Debug			Jump to behavior

Source: Yara match	File source: 0.2.invoice & packing list.exe.36edbe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.invoice & packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice & packing list.exe.36b31c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice & packing list.exe.36edbe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice & packing list.exe.36b31c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2874078879.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2874078879.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2872129268.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686242139.00000000036B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice & packing list.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: invoice & packing list.exe PID: 6324, type: MEMORYSTR

Source: C:\Users\user\Desktop\invoice & packing list.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing list.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.123.30	mail.techwiser.in	United States		46606	UNIFIEDLAYER-AS-1US	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

Name	IP	Active
api.ipify.org	172.67.74.152	true
mail.techwiser.in	162.241.123.30	true

ID:	1427730
Product:	CloudBasic
Start time:	02:20:05
Start date:	18.04.2024
Sample:	invoice & packing list.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e9de39ce29b4e19d9487d6517f5fe390
SHA1:	aa9300231e426c9d0cbffe0bcf36f047235e79a6
SHA256:	24390949599e57a802ea820e402befca0610937e51e19a4db8228235d0017a58
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report invoice & packing list.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
invoice & packing list.exe

Malware Threat Intel
Provided by