Edit tour

Windows Analysis Report
z1INVOICE4602-FMT25020147.scr.exe

Overview

General Information

Sample name:	z1INVOICE4602-FMT25020147.scr.exe
Analysis ID:	1631490
MD5:	96564260f9abcab539243aae164715ad
SHA1:	029ce85aea42c7bf60109d49a5fea314f9980e34
SHA256:	218ea3221f1a07f6654e098dc86bd1a001790573d76cc8016dc9c69b93bc2cb9
Tags:	exeuser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z1INVOICE4602-FMT25020147.scr.exe (PID: 4796 cmdline: "C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe" MD5: 96564260F9ABCAB539243AAE164715AD)

powershell.exe (PID: 4256 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1816 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4028 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 3680 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

GkrJfjIkIvsq.exe (PID: 1536 cmdline: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe MD5: 96564260F9ABCAB539243AAE164715AD)

schtasks.exe (PID: 616 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 4580 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Host": "fiber13.dnsiaas.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Host": "fiber13.dnsiaas.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x167a:$a1: get_encryptedPassword 0x1993:$a2: get_encryptedUsername 0x1498:$a3: get_timePasswordChanged 0x1593:$a4: get_passwordField 0x1690:$a5: set_encryptedPassword 0x2cea:$a7: get_logins 0x2c4d:$a10: KeyLoggerEventArgs 0x28b2:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e3d2:$a1: get_encryptedPassword 0x717f2:$a1: get_encryptedPassword 0xb4a12:$a1: get_encryptedPassword 0x2e6eb:$a2: get_encryptedUsername 0x71b0b:$a2: get_encryptedUsername 0xb4d2b:$a2: get_encryptedUsername 0x2e1f0:$a3: get_timePasswordChanged 0x71610:$a3: get_timePasswordChanged 0xb4830:$a3: get_timePasswordChanged 0x2e2eb:$a4: get_passwordField 0x7170b:$a4: get_passwordField 0xb492b:$a4: get_passwordField 0x2e3e8:$a5: set_encryptedPassword 0x71808:$a5: set_encryptedPassword 0xb4a28:$a5: set_encryptedPassword 0x2fa42:$a7: get_logins 0x72e62:$a7: get_logins 0xb6082:$a7: get_logins 0x2f9a5:$a10: KeyLoggerEventArgs 0x72dc5:$a10: KeyLoggerEventArgs 0xb5fe5:$a10: KeyLoggerEventArgs
00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e722:$a1: get_encryptedPassword 0x71b42:$a1: get_encryptedPassword 0xb4d62:$a1: get_encryptedPassword 0x2ea3b:$a2: get_encryptedUsername 0x71e5b:$a2: get_encryptedUsername 0xb507b:$a2: get_encryptedUsername 0x2e540:$a3: get_timePasswordChanged 0x71960:$a3: get_timePasswordChanged 0xb4b80:$a3: get_timePasswordChanged 0x2e63b:$a4: get_passwordField 0x71a5b:$a4: get_passwordField 0xb4c7b:$a4: get_passwordField 0x2e738:$a5: set_encryptedPassword 0x71b58:$a5: set_encryptedPassword 0xb4d78:$a5: set_encryptedPassword 0x2fd92:$a7: get_logins 0x731b2:$a7: get_logins 0xb63d2:$a7: get_logins 0x2fcf5:$a10: KeyLoggerEventArgs 0x73115:$a10: KeyLoggerEventArgs 0xb6335:$a10: KeyLoggerEventArgs
00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x70b9b:$a1: get_encryptedPassword 0x70eaa:$a2: get_encryptedUsername 0x709c3:$a3: get_timePasswordChanged 0x70abe:$a4: get_passwordField 0x70bb1:$a5: set_encryptedPassword 0x7305f:$a7: get_logins 0x72fc2:$a10: KeyLoggerEventArgs 0x72c2b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 3680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3680	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 3680	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3680	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa25:$a1: get_encryptedPassword 0xd34:$a2: get_encryptedUsername 0x84d:$a3: get_timePasswordChanged 0x948:$a4: get_passwordField 0xa3b:$a5: set_encryptedPassword 0x2ee9:$a7: get_logins 0x2e4c:$a10: KeyLoggerEventArgs 0x2ab5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: GkrJfjIkIvsq.exe PID: 1536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GkrJfjIkIvsq.exe PID: 1536	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GkrJfjIkIvsq.exe PID: 1536	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: GkrJfjIkIvsq.exe PID: 1536	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: GkrJfjIkIvsq.exe PID: 1536	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32ab:$a1: get_encryptedPassword 0x35ba:$a2: get_encryptedUsername 0x30d3:$a3: get_timePasswordChanged 0x31ce:$a4: get_passwordField 0x32c1:$a5: set_encryptedPassword 0x576f:$a7: get_logins 0x56d2:$a10: KeyLoggerEventArgs 0x533b:$a11: KeyLoggerEventArgsEventHandler
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ba7a:$a1: get_encryptedPassword 0x2bd93:$a2: get_encryptedUsername 0x2b898:$a3: get_timePasswordChanged 0x2b993:$a4: get_passwordField 0x2ba90:$a5: set_encryptedPassword 0x2d0ea:$a7: get_logins 0x2d04d:$a10: KeyLoggerEventArgs 0x2ccb2:$a11: KeyLoggerEventArgsEventHandler
8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x398d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x391d8:$a4: \Orbitum\User Data\Default\Login Data 0x39bb7:$a5: \Kometa\User Data\Default\Login Data
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ba7a:$a1: get_encryptedPassword 0x2bd93:$a2: get_encryptedUsername 0x2b898:$a3: get_timePasswordChanged 0x2b993:$a4: get_passwordField 0x2ba90:$a5: set_encryptedPassword 0x2d0ea:$a7: get_logins 0x2d04d:$a10: KeyLoggerEventArgs 0x2ccb2:$a11: KeyLoggerEventArgsEventHandler
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x398d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x391d8:$a4: \Orbitum\User Data\Default\Login Data 0x39bb7:$a5: \Kometa\User Data\Default\Login Data
8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ba7a:$a1: get_encryptedPassword 0x2bd93:$a2: get_encryptedUsername 0x2b898:$a3: get_timePasswordChanged 0x2b993:$a4: get_passwordField 0x2ba90:$a5: set_encryptedPassword 0x2d0ea:$a7: get_logins 0x2d04d:$a10: KeyLoggerEventArgs 0x2ccb2:$a11: KeyLoggerEventArgsEventHandler
8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c66c:$s1: UnHook 0x2c673:$s2: SetHook 0x2c67b:$s3: CallNextHook 0x2c688:$s4: _hook
8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x398d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x391d8:$a4: \Orbitum\User Data\Default\Login Data 0x39bb7:$a5: \Kometa\User Data\Default\Login Data
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c66c:$s1: UnHook 0x2c673:$s2: SetHook 0x2c67b:$s3: CallNextHook 0x2c688:$s4: _hook
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ba7a:$a1: get_encryptedPassword 0x2bd93:$a2: get_encryptedUsername 0x2b898:$a3: get_timePasswordChanged 0x2b993:$a4: get_passwordField 0x2ba90:$a5: set_encryptedPassword 0x2d0ea:$a7: get_logins 0x2d04d:$a10: KeyLoggerEventArgs 0x2ccb2:$a11: KeyLoggerEventArgsEventHandler
8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c66c:$s1: UnHook 0x2c673:$s2: SetHook 0x2c67b:$s3: CallNextHook 0x2c688:$s4: _hook
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x398d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x391d8:$a4: \Orbitum\User Data\Default\Login Data 0x39bb7:$a5: \Kometa\User Data\Default\Login Data
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c66c:$s1: UnHook 0x2c673:$s2: SetHook 0x2c67b:$s3: CallNextHook 0x2c688:$s4: _hook
8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d87a:$a1: get_encryptedPassword 0x70a9a:$a1: get_encryptedPassword 0x2db93:$a2: get_encryptedUsername 0x70db3:$a2: get_encryptedUsername 0x2d698:$a3: get_timePasswordChanged 0x708b8:$a3: get_timePasswordChanged 0x2d793:$a4: get_passwordField 0x709b3:$a4: get_passwordField 0x2d890:$a5: set_encryptedPassword 0x70ab0:$a5: set_encryptedPassword 0x2eeea:$a7: get_logins 0x7210a:$a7: get_logins 0x2ee4d:$a10: KeyLoggerEventArgs 0x7206d:$a10: KeyLoggerEventArgs 0x2eab2:$a11: KeyLoggerEventArgsEventHandler 0x71cd2:$a11: KeyLoggerEventArgsEventHandler
8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b6d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e8f8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x7df9b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3afd8:$a4: \Orbitum\User Data\Default\Login Data 0x7e1f8:$a4: \Orbitum\User Data\Default\Login Data 0x3b9b7:$a5: \Kometa\User Data\Default\Login Data 0x7ebd7:$a5: \Kometa\User Data\Default\Login Data
8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e46c:$s1: UnHook 0x7168c:$s1: UnHook 0x2e473:$s2: SetHook 0x71693:$s2: SetHook 0x2e47b:$s3: CallNextHook 0x7169b:$s3: CallNextHook 0x2e488:$s4: _hook 0x716a8:$s4: _hook
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d87a:$a1: get_encryptedPassword 0x70a9a:$a1: get_encryptedPassword 0x2db93:$a2: get_encryptedUsername 0x70db3:$a2: get_encryptedUsername 0x2d698:$a3: get_timePasswordChanged 0x708b8:$a3: get_timePasswordChanged 0x2d793:$a4: get_passwordField 0x709b3:$a4: get_passwordField 0x2d890:$a5: set_encryptedPassword 0x70ab0:$a5: set_encryptedPassword 0x2eeea:$a7: get_logins 0x7210a:$a7: get_logins 0x2ee4d:$a10: KeyLoggerEventArgs 0x7206d:$a10: KeyLoggerEventArgs 0x2eab2:$a11: KeyLoggerEventArgsEventHandler 0x71cd2:$a11: KeyLoggerEventArgsEventHandler
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b6d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e8f8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x7df9b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3afd8:$a4: \Orbitum\User Data\Default\Login Data 0x7e1f8:$a4: \Orbitum\User Data\Default\Login Data 0x3b9b7:$a5: \Kometa\User Data\Default\Login Data 0x7ebd7:$a5: \Kometa\User Data\Default\Login Data
0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e46c:$s1: UnHook 0x7168c:$s1: UnHook 0x2e473:$s2: SetHook 0x71693:$s2: SetHook 0x2e47b:$s3: CallNextHook 0x7169b:$s3: CallNextHook 0x2e488:$s4: _hook 0x716a8:$s4: _hook
8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d87a:$a1: get_encryptedPassword 0x70c9a:$a1: get_encryptedPassword 0xb3eba:$a1: get_encryptedPassword 0x2db93:$a2: get_encryptedUsername 0x70fb3:$a2: get_encryptedUsername 0xb41d3:$a2: get_encryptedUsername 0x2d698:$a3: get_timePasswordChanged 0x70ab8:$a3: get_timePasswordChanged 0xb3cd8:$a3: get_timePasswordChanged 0x2d793:$a4: get_passwordField 0x70bb3:$a4: get_passwordField 0xb3dd3:$a4: get_passwordField 0x2d890:$a5: set_encryptedPassword 0x70cb0:$a5: set_encryptedPassword 0xb3ed0:$a5: set_encryptedPassword 0x2eeea:$a7: get_logins 0x7230a:$a7: get_logins 0xb552a:$a7: get_logins 0x2ee4d:$a10: KeyLoggerEventArgs 0x7226d:$a10: KeyLoggerEventArgs 0xb548d:$a10: KeyLoggerEventArgs
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b6d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7eaf8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc1d18:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e19b:$a3: \Google\Chrome\User Data\Default\Login Data 0xc13bb:$a3: \Google\Chrome\User Data\Default\Login Data 0x3afd8:$a4: \Orbitum\User Data\Default\Login Data 0x7e3f8:$a4: \Orbitum\User Data\Default\Login Data 0xc1618:$a4: \Orbitum\User Data\Default\Login Data 0x3b9b7:$a5: \Kometa\User Data\Default\Login Data 0x7edd7:$a5: \Kometa\User Data\Default\Login Data 0xc1ff7:$a5: \Kometa\User Data\Default\Login Data
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d87a:$a1: get_encryptedPassword 0x70c9a:$a1: get_encryptedPassword 0xb3eba:$a1: get_encryptedPassword 0x2db93:$a2: get_encryptedUsername 0x70fb3:$a2: get_encryptedUsername 0xb41d3:$a2: get_encryptedUsername 0x2d698:$a3: get_timePasswordChanged 0x70ab8:$a3: get_timePasswordChanged 0xb3cd8:$a3: get_timePasswordChanged 0x2d793:$a4: get_passwordField 0x70bb3:$a4: get_passwordField 0xb3dd3:$a4: get_passwordField 0x2d890:$a5: set_encryptedPassword 0x70cb0:$a5: set_encryptedPassword 0xb3ed0:$a5: set_encryptedPassword 0x2eeea:$a7: get_logins 0x7230a:$a7: get_logins 0xb552a:$a7: get_logins 0x2ee4d:$a10: KeyLoggerEventArgs 0x7226d:$a10: KeyLoggerEventArgs 0xb548d:$a10: KeyLoggerEventArgs
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b6d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7eaf8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc1d18:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad7b:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e19b:$a3: \Google\Chrome\User Data\Default\Login Data 0xc13bb:$a3: \Google\Chrome\User Data\Default\Login Data 0x3afd8:$a4: \Orbitum\User Data\Default\Login Data 0x7e3f8:$a4: \Orbitum\User Data\Default\Login Data 0xc1618:$a4: \Orbitum\User Data\Default\Login Data 0x3b9b7:$a5: \Kometa\User Data\Default\Login Data 0x7edd7:$a5: \Kometa\User Data\Default\Login Data 0xc1ff7:$a5: \Kometa\User Data\Default\Login Data
8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e46c:$s1: UnHook 0x7188c:$s1: UnHook 0xb4aac:$s1: UnHook 0x2e473:$s2: SetHook 0x71893:$s2: SetHook 0xb4ab3:$s2: SetHook 0x2e47b:$s3: CallNextHook 0x7189b:$s3: CallNextHook 0xb4abb:$s3: CallNextHook 0x2e488:$s4: _hook 0x718a8:$s4: _hook 0xb4ac8:$s4: _hook
0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e46c:$s1: UnHook 0x7188c:$s1: UnHook 0xb4aac:$s1: UnHook 0x2e473:$s2: SetHook 0x71893:$s2: SetHook 0xb4ab3:$s2: SetHook 0x2e47b:$s3: CallNextHook 0x7189b:$s3: CallNextHook 0xb4abb:$s3: CallNextHook 0x2e488:$s4: _hook 0x718a8:$s4: _hook 0xb4ac8:$s4: _hook
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe", ParentImage: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe, ParentProcessId: 4796, ParentProcessName: z1INVOICE4602-FMT25020147.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe", ProcessId: 4256, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe, ParentImage: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe, ParentProcessId: 1536, ParentProcessName: GkrJfjIkIvsq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp", ProcessId: 616, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe", ParentImage: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe, ParentProcessId: 4796, ParentProcessName: z1INVOICE4602-FMT25020147.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp", ProcessId: 4028, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe", ParentImage: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe, ParentProcessId: 4796, ParentProcessName: z1INVOICE4602-FMT25020147.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe", ProcessId: 4256, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe", ParentImage: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe, ParentProcessId: 4796, ParentProcessName: z1INVOICE4602-FMT25020147.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp", ProcessId: 4028, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:31:39.276705+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	132.226.247.73	80	TCP
2025-03-07T08:31:41.620530+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Host": "fiber13.dnsiaas.com", "Port": "587"}
Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Host": "fiber13.dnsiaas.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Virustotal: Detection: 33%			Perma Link

Multi AV Scanner detection for submitted file

Source: z1INVOICE4602-FMT25020147.scr.exe	Virustotal: Detection: 33%			Perma Link
Source: z1INVOICE4602-FMT25020147.scr.exe	ReversingLabs: Detection: 39%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	String decryptor: serverche399@gpsamsterdamqroup.com
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	String decryptor: j4YX(KT7UCZ1
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	String decryptor: fiber13.dnsiaas.com
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	String decryptor: lukasnakelogger@dklak.cam
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	String decryptor: 587
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.00000000032F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3304054465.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 0000000C.00000002.3304054465.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/U3hz
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: z1INVOICE4602-FMT25020147.scr.exe, GkrJfjIkIvsq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: z1INVOICE4602-FMT25020147.scr.exe, GkrJfjIkIvsq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: z1INVOICE4602-FMT25020147.scr.exe, GkrJfjIkIvsq.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000007.00000002.3305473597.0000000003326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2097473299.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2127026346.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000007.00000002.3304591342.0000000001691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189t
Source: z1INVOICE4602-FMT25020147.scr.exe, GkrJfjIkIvsq.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z1INVOICE4602-FMT25020147.scr.exe

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_02E43E40	0_2_02E43E40
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_02E46F90	0_2_02E46F90
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_02E46F99	0_2_02E46F99
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_02E4DA7C	0_2_02E4DA7C
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_05450509	0_2_05450509
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_05450511	0_2_05450511
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_05450518	0_2_05450518
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749E748	0_2_0749E748
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749E758	0_2_0749E758
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749C678	0_2_0749C678
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749B300	0_2_0749B300
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749C240	0_2_0749C240
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749EE08	0_2_0749EE08
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749EE18	0_2_0749EE18
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749DA71	0_2_0749DA71
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_0749DA80	0_2_0749DA80
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_074F25E2	0_2_074F25E2
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_074F4478	0_2_074F4478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05729DE0	7_2_05729DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05723E18	7_2_05723E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05727118	7_2_05727118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_057269B0	7_2_057269B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05725370	7_2_05725370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0572C2E3	7_2_0572C2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_057229EC	7_2_057229EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05723B83	7_2_05723B83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05723AA1	7_2_05723AA1
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_026F3E40	8_2_026F3E40
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_026F6F90	8_2_026F6F90
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_026FDA7C	8_2_026FDA7C
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7C678	8_2_06D7C678
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7E754	8_2_06D7E754
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7E750	8_2_06D7E750
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7E758	8_2_06D7E758
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7E748	8_2_06D7E748
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7C240	8_2_06D7C240
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7B300	8_2_06D7B300
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7EE15	8_2_06D7EE15
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7EE10	8_2_06D7EE10
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7EE18	8_2_06D7EE18
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7EE08	8_2_06D7EE08
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7DA80	8_2_06D7DA80
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06D7DA71	8_2_06D7DA71
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06DD3791	8_2_06DD3791
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06DD1920	8_2_06DD1920
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06DD1911	8_2_06DD1911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_011669A0	12_2_011669A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0116A088	12_2_0116A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01165370	12_2_01165370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0116C2E2	12_2_0116C2E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01166FC8	12_2_01166FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01163E09	12_2_01163E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_011629E0	12_2_011629E0

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: invalid certificate

Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2100915010.00000000072FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2096254755.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2097473299.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2101608777.0000000007540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2097473299.000000000313A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2100720897.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000000.2061543704.0000000000BCC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuUch.exe2 vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2097473299.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs z1INVOICE4602-FMT25020147.scr.exe
Source: z1INVOICE4602-FMT25020147.scr.exe	Binary or memory string: OriginalFilenameuUch.exe2 vs z1INVOICE4602-FMT25020147.scr.exe

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: z1INVOICE4602-FMT25020147.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GkrJfjIkIvsq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, W---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, W---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, W---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, EpiQCxc9VMC7hTOMpe.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, EpiQCxc9VMC7hTOMpe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, nG2drGuyLS3vYjcIWy.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, nG2drGuyLS3vYjcIWy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, nG2drGuyLS3vYjcIWy.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/11@2/2

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

File created: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Mutant created: \Sessions\1\BaseNamedObjects\iZGUnXkqDnGU
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2A88.tmp

Jump to behavior

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z1INVOICE4602-FMT25020147.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1INVOICE4602-FMT25020147.scr.exe	Virustotal: Detection: 33%
Source: z1INVOICE4602-FMT25020147.scr.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

File read: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe "C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe"
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z1INVOICE4602-FMT25020147.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, nG2drGuyLS3vYjcIWy.cs

.Net Code: lcNc9qlIdv System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Code function: 0_2_074F21B8 push eax; retf	0_2_074F21C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05729A20 push esp; retf 057Ah	7_2_05729D55
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Code function: 8_2_06DD14E9 push eax; retf	8_2_06DD14F5

Source: z1INVOICE4602-FMT25020147.scr.exe	Static PE information: section name: .text entropy: 7.882709817311521
Source: GkrJfjIkIvsq.exe.0.dr	Static PE information: section name: .text entropy: 7.882709817311521

Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, lh5hsZomdT85ACCdiNO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KWekbKq2tD', 'nefk2tW0TI', 'vwak6FRflB', 'H8Ak8yTZOB', 'B7pkAyibbo', 'WxekHYlQgC', 'Lxqku1J4SK'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, uwkooDokXoDLCodAved.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WYrehaa18d', 'jZQekPtHmw', 'iKceGW434u', 'egceeunZAg', 'soFe1bG2kG', 'V1beIJ9G0v', 'E8ke5sTslW'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, R9Jb2E1RRiCCZVqkGb.cs	High entropy of concatenated method names: 't3DhTYuOFa', 'ihVhQfrkb2', 'xmfhhuvHrT', 'hoYhG1HU2o', 'Lleh1BdOxQ', 'Jiuh5wA1on', 'Dispose', 'g3twJBgBZM', 'inNwd7ohJU', 'UdtwlpDyWi'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, oOxDbagMJKZsNo2dvc.cs	High entropy of concatenated method names: 'K1CQmysmQr', 'AglQyef1lN', 'U9uwfZaS7u', 'uDnwglie3F', 'JsuQbufHTl', 'CmPQ2NXY82', 'XotQ6LGWnT', 'jBxQ8GAwd5', 'pCTQAGn2nl', 'cc9QHZDuqn'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, DoIiAEkyaQuHbqkTTb.cs	High entropy of concatenated method names: 'qWbgUGL8Bn', 'Q0NgRgF6bo', 'ME0gWSEeQ0', 's7igLDPvJb', 'a57gTcB0ur', 'tbqgXI0ik6', 'nAZyGsivk4VRKAJaS4', 'uFIXFxOE3VdHlLrcPD', 'drFggjnpNr', 'WmQgYoM0nl'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, v6JcNqIbwGd59rTITn.cs	High entropy of concatenated method names: 'HegU7lMyQP', 'V9LUsRKfdC', 'sBTU9H3WNA', 'dhoUPOl2rT', 'LALU3ShaWK', 'N0xUpalTWD', 'TXWUMEvm27', 'udJUvpxtHn', 'eptUCTp5LT', 'o4CUjVlY8B'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, hl1NWrzf5ApX52joGH.cs	High entropy of concatenated method names: 'slhkpUvSxU', 'gT8kvedE6u', 'q4gkCCNbEJ', 'rCbkO1OH98', 'fTHkZ0ovAr', 'xWDkKL96Py', 'kSFkihUcKJ', 'vExk5dVj0h', 'aRwk7dffR7', 'stMksmHJuA'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, uOsuhwSPiZwJl2c4KB.cs	High entropy of concatenated method names: 'd61klSxNOK', 'RwgkDHEiod', 'roIkNPpRt6', 'CTRkUIEEMS', 'EDDkhGYwCu', 'dNykRhO0HH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, o7RATW4VOeD2rsFkoA.cs	High entropy of concatenated method names: 'ktM9DuRgc', 'zLdP7HqVV', 'Tgvp8fZdV', 'uZNMWSb56', 'YQQCpR2gx', 'iLQjWTWIC', 'JI2IXyD3yLf2UQ7RoO', 'eHYFf5RQTuJoRe1eqB', 'OZIwcLLu8', 'XnmkMln6H'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, fZxdHjHRl0qBPbcDqk.cs	High entropy of concatenated method names: 'ToString', 'alpXbSNdFx', 'rBsXZyM9Uo', 'XZqXnLj2GO', 'L7rXKRuHQI', 'eVKXiv8Vb0', 'yOIXaQX2Ot', 'g8IX4yayxn', 'FjWXSg6ESC', 'rW1XECsm0N'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, kH0TUWliFVklrn1hl0.cs	High entropy of concatenated method names: 'Dispose', 'aF8goJ7krs', 'L29rZ8xdSD', 'EY8ex1n9vx', 'qRRgyuLWkl', 'ASXgzBnWK3', 'ProcessDialogKey', 'OYPrfgmGHN', 'R5Orgy3Q9a', 'UG7rrJ1pUB'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, aB9kRLjR2sxxgVDd39.cs	High entropy of concatenated method names: 'fyJUJVE3KJ', 'cC2Ul1S8TQ', 'wYbUNV1CU5', 'x0JNyNH8TP', 'OccNzaiI6f', 'C9iUfW0sp8', 'j9IUg0KZqS', 'RhOUrBONRk', 'Xt5UYXYnB7', 'wIgUcJCsJw'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, WlSS2N5ftf7AGFj7Br.cs	High entropy of concatenated method names: 'iZwVvRdbuy', 'GFUVCyaVMg', 'gl8VOq68Kn', 'evIVZx383W', 'srYVKB67PQ', 'UeYViHBB2s', 'E8kV4nrU17', 'P8PVSQO9UO', 'bLmVFaYnCM', 'tGLVbkQAgL'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, nTTya6oolYRH8cRMYmk.cs	High entropy of concatenated method names: 'TfHkyI4KPB', 'HbdkzI5h4Y', 'Y9iGfUQGvD', 'vyDGg5YUES', 'DaCGrZ2Yk0', 'xUbGY4WHU9', 'Np6GcWlBML', 'hriGBGfu4D', 'ze7GJVVoYX', 'HQRGdQKV1M'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, A67Y8Mnf25Fm3Vmw4D.cs	High entropy of concatenated method names: 'PMJhO9rIyy', 'aK4hZFgNhC', 't2ThnwQ5hp', 'jAHhKOjHi4', 'dkjhiPHclC', 'mpQhasP6n6', 'wobh4I5FqI', 'q4MhSq6oLR', 'CKYhEynkPS', 'rmXhFosinw'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, uxhg1Kxs7TQimTxWrs.cs	High entropy of concatenated method names: 'CssNBERX8k', 'nRcNdEKExq', 'u9ANDx8j7Z', 'QALNUkD4Ch', 'XI7NRnRFHQ', 'UixDxqMbx4', 'OkQDtB9BNe', 'MJED0WgRAE', 'Qc2Dm86IgW', 'tQGDofR4Ir'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, MT41XGvQbGjqgQh3ER.cs	High entropy of concatenated method names: 'khYlP3CjDm', 'aWklpP063K', 'V0wlva07GG', 'QO4lCLPc72', 'jnilT1TvDU', 'lLmlXmKWpZ', 'll3lQeQqo9', 'UUDlwMWpIN', 'IEXlh0p6Kd', 'dlClkW0yvU'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, nG2drGuyLS3vYjcIWy.cs	High entropy of concatenated method names: 'ClCYBxOruo', 'bZCYJi40h1', 'lbkYdOUV3Q', 'F8jYl1g3MF', 'H5cYDAPnXl', 'joXYN2r2Gx', 'pSlYUpNVFF', 'kW2YR2g5it', 'Q5qYqxZa2N', 'PfVYWaP10c'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, einkfJEyGb8PYpPDBa.cs	High entropy of concatenated method names: 'Gn6TFo6402', 'tgdT2dQXfH', 'bDmT8FH1aF', 'RLQTAbOdvx', 'eWoTZKfc5i', 'TYZTnEPR5q', 'KdOTKe1aSu', 'sTLTiGAoWk', 'sEdTahAQ8Y', 'mq7T430tng'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, EpiQCxc9VMC7hTOMpe.cs	High entropy of concatenated method names: 'wG2d8pxNZW', 'WFadAegokQ', 'JWxdHPdCNn', 'nwoduZnieN', 'ImPdxN2Wfy', 'FLrdt1WAO6', 'tlFd0XHgUj', 'QHCdm7NlOO', 'LtddoCmSJo', 'PC0dy7d1iB'
Source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.7540000.5.raw.unpack, iiAm3Sb9rqhxvBmCMW.cs	High entropy of concatenated method names: 'qngQWXu42k', 'RRpQLaBQwM', 'ToString', 'HKrQJhmxLD', 'eGUQdxYqVb', 'igqQlTHMUU', 'YUPQDWjnD3', 'y7jQNwjghA', 'T1xQUjbM83', 'msfQRMVV0g'

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

File created: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 4EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 7B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 8B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 8D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: 9D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: 4860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: 6FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: 7FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: 8160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: 9160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599673	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594824	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6406	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1701	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1428	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe TID: 4140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599673	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594824	Jump to behavior

Source: RegSvcs.exe, 0000000C.00000002.3304502364.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: GkrJfjIkIvsq.exe, 00000008.00000002.2123843014.00000000009E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000007.00000002.3304591342.0000000001636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe"
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 100E008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9BA008	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Queries volume information: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Queries volume information: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR

Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.4109f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.47492c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.GkrJfjIkIvsq.exe.40c6b58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1INVOICE4602-FMT25020147.scr.exe.4705ea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1INVOICE4602-FMT25020147.scr.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GkrJfjIkIvsq.exe PID: 1536, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z1INVOICE4602-FMT25020147.scr.exe	33%	Virustotal		Browse
z1INVOICE4602-FMT25020147.scr.exe	39%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	39%	ReversingLabs
C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe	33%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://aborters.duckdns.org:8081	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/U3hz	RegSvcs.exe, 0000000C.00000002.3304054465.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.3305473597.0000000003326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.00000000032F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.3305473597.0000000003339000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2097473299.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2127026346.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	z1INVOICE4602-FMT25020147.scr.exe, GkrJfjIkIvsq.exe.0.dr	false	high
http://varders.kozow.com:8081	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189t	RegSvcs.exe, 00000007.00000002.3304591342.0000000001691000.00000004.00000020.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	z1INVOICE4602-FMT25020147.scr.exe, 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3305473597.0000000003306000.00000004.00000800.00020000.00000000.sdmp, GkrJfjIkIvsq.exe, 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3306199090.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631490
Start date and time:	2025-03-07 08:30:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z1INVOICE4602-FMT25020147.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/11@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 144 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com
Execution Graph export aborted for target RegSvcs.exe, PID 3680 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 4580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:31:35	API Interceptor	1x Sleep call for process: z1INVOICE4602-FMT25020147.scr.exe modified
02:31:37	API Interceptor	11x Sleep call for process: powershell.exe modified
02:31:38	API Interceptor	1x Sleep call for process: GkrJfjIkIvsq.exe modified
02:33:18	API Interceptor	344x Sleep call for process: RegSvcs.exe modified
08:31:37	Task Scheduler	Run new task: GkrJfjIkIvsq path: C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	Payment Invoice ref0306252.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/k7wl/
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/scc1/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	SFT20020117.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/7p42/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/
	PO 87877889X,pdf.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	http://projectlombok.org	Get hash	malicious	Unknown	Browse	projectlombok.org/
132.226.247.73	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Repeat Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	HAWB772384266855 2846086773 G#U00f6nderinizinETGB .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MEDUCK217841.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SOA_TONG WOH ENTERPRISE SDN BHD.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rRessourcestyrings.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	90939298323.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Payment Advice.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	50% deposit's payment advice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	YKBGunlukEkstre.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.112.1
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	Repeat Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	March Shipment Documents.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.48.1
	rDoubleheartedness.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	PROFORMA INVOICE.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	SecuriteInfo.com.Win32.PWSX-gen.12871.17752.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	BL NO - SNKO05B250100198.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
checkip.dyndns.com	YKBGunlukEkstre.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Repeat Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	March Shipment Documents.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	132.226.8.169
	rDoubleheartedness.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	PROFORMA INVOICE.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.PWSX-gen.12871.17752.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	BL NO - SNKO05B250100198.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Repeat Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	132.226.8.169
	rDoubleheartedness.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	HAWB772384266855 2846086773 G#U00f6nderinizinETGB .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SAGPU05R03 - 01-YS-00052201.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	132.226.8.169
	MEDUCK217841.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	https://worker-rough-fire-759a.berwieberwieberwieberwieberwie.workers.dev/?eba=.htm	Get hash	malicious	Unknown	Browse	172.67.206.91
	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	YKBGunlukEkstre.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Payment Invoice ref0306252.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.112.1
	xworm.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	bkHLzNaNMS.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	bkHLzNaNMS.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	ba.bat	Get hash	malicious	Unknown	Browse	162.159.134.42
	datasheet.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

Process:	C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1INVOICE4602-FMT25020147.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//8PUyus:lGLHxv2IfLZ2KRH6Oug8s
MD5:	23CD070A7721E36DDF5C8E71F8D1FD3E
SHA1:	4893763E45AFB4A77C815AE1A887047A46C130F1
SHA-256:	601A6D49F6245C49A5CA7E3B91DB5E7E9EC07DCECEB9A7569CB389ACBA03230A
SHA-512:	B6E96C74B82A9D667E0F139D2327C651FCC4B7CB18AEC6E825F6F6B3CF5865F79810962E86FEE34E30E75C29668B2D2571F1C533457BECC3344AB81CB888D8D7
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qcjrtbk.mls.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ao4bdkvr.eh4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpjewhhm.frc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gympkans.hts.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2A88.tmp

Download File

Process:	C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.113094524877874
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtXxvn:cgergYrFdOFzOzN33ODOiDdKrsuThv
MD5:	83F0D9BE5522E8DDB6B272769ED23986
SHA1:	60D70E2891F7EC8886B95C3996C4463158D6C81E
SHA-256:	60B4A2D943FFEFB86B5791460E6BE17984E57901140F3C7E3710D05CAD8E0EB5
SHA-512:	E7F887DBC5DF3AEF1380B7B919D7FD36052B1611C0654E32ED6F29EB0BBECBC6AE9FA94EBB2DAD03404F26D70D871965323F98C2D150193D895B2031C0CDB8E4
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp34AA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.113094524877874
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtXxvn:cgergYrFdOFzOzN33ODOiDdKrsuThv
MD5:	83F0D9BE5522E8DDB6B272769ED23986
SHA1:	60D70E2891F7EC8886B95C3996C4463158D6C81E
SHA-256:	60B4A2D943FFEFB86B5791460E6BE17984E57901140F3C7E3710D05CAD8E0EB5
SHA-512:	E7F887DBC5DF3AEF1380B7B919D7FD36052B1611C0654E32ED6F29EB0BBECBC6AE9FA94EBB2DAD03404F26D70D871965323F98C2D150193D895B2031C0CDB8E4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe

Download File

Process:	C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	708616
Entropy (8bit):	7.874843997410482
Encrypted:	false
SSDEEP:	12288:zql+0LeY8o6CPjfkzrtCf+8/ganR6Kfk/yMCX/aIZj/iYfA0vTwf7LBn624F5oNy:zU++eYJ64j6Jg6KfKVsas/Bf/ILBn62K
MD5:	96564260F9ABCAB539243AAE164715AD
SHA1:	029CE85AEA42C7BF60109D49A5FEA314F9980E34
SHA-256:	218EA3221F1A07F6654E098DC86BD1A001790573D76CC8016DC9C69B93BC2CB9
SHA-512:	55A796780967434B45338A7FD225F1D8B05FA840F3117D1AB38AF11256AF07A08ED653B368C0E17D1AD299B8AD0ACBC317B2AF8E0992C9806272C784AFD19732
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 33%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...No.g..............0.................. ........@.. ....................................@....................................O........................6........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...7..............!..........................................z..}......}.....(.......(.......0..@..........}.....{.....{....o....r...p.{....o.....o....o....(....o......0............o..........,...{....o....&....0............{....o.....{....o.....o....o....o......,7...}.....{....r...p.{....o.....o....o....(....o......+5...}.....{....r...p.{....o.....o....o....(....o.......0...........#........%....{....o....(......#.-DT.!.@Z#......f@[.r...p..{.........,0.r...p..

C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.874843997410482
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	z1INVOICE4602-FMT25020147.scr.exe
File size:	708'616 bytes
MD5:	96564260f9abcab539243aae164715ad
SHA1:	029ce85aea42c7bf60109d49a5fea314f9980e34
SHA256:	218ea3221f1a07f6654e098dc86bd1a001790573d76cc8016dc9c69b93bc2cb9
SHA512:	55a796780967434b45338a7fd225f1d8b05fa840f3117d1ab38af11256af07a08ed653b368c0e17d1ad299b8ad0acbc317b2af8e0992c9806272c784afd19732
SSDEEP:	12288:zql+0LeY8o6CPjfkzrtCf+8/ganR6Kfk/yMCX/aIZj/iYfA0vTwf7LBn624F5oNy:zU++eYJ64j6Jg6KfKVsas/Bf/ILBn62K
TLSH:	06E412E87958D812DEE90BB04271E77A5379BEACE911D3038EECACDF3851720A51D712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...No.g..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	7549656d6d398e8d

Static PE Info

General

Entrypoint:	0x4aa32e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67CA6F4E [Fri Mar 7 04:00:14 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa2dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x10c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa9a00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa8334	0xa8400	ac09b8e44e9bf2978a76973f5f9829d4	False	0.9409462643945022	data	7.882709817311521	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x10c4	0x1200	55cd11ebd82af0a6a4887ed24c2e0bbb	False	0.7133246527777778	data	6.446152893656869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	ce3e264c39b112bfa69c0ccba9626b5a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac0c8	0xc7a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8810269254852849
RT_GROUP_ICON	0xacd54	0x14	data	1.05
RT_VERSION	0xacd78	0x348	data	0.4357142857142857

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	ExternalDSL
CompanyName	WF_SINCOS
FileDescription	WF LOGIN
FileVersion	1.1.2.2
InternalName	uUch.exe
LegalCopyright	WF_SINCOS 2024 (C)
LegalTrademarks	ExternalDSL
OriginalFilename	uUch.exe
ProductName	WF-LOGIN
ProductVersion	1.1.2.2
Assembly Version	1.1.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T08:31:39.276705+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49708	132.226.247.73	80	TCP
2025-03-07T08:31:41.620530+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 08:31:38.186741114 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:38.192236900 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:38.192310095 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:38.192492962 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:38.198451996 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:39.012908936 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:39.017469883 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:39.022532940 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:39.226174116 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:39.276705027 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:39.315749884 CET	49710	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:31:39.315782070 CET	443	49710	104.21.32.1	192.168.2.5
Mar 7, 2025 08:31:39.316004038 CET	49710	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:31:39.321626902 CET	49710	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:31:39.321640968 CET	443	49710	104.21.32.1	192.168.2.5
Mar 7, 2025 08:31:40.674405098 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:40.680351973 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:40.680593014 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:40.680855989 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:40.686362028 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:41.362386942 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:41.365888119 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:31:41.370969057 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:41.573961973 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:31:41.603737116 CET	49713	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:31:41.603768110 CET	443	49713	104.21.32.1	192.168.2.5
Mar 7, 2025 08:31:41.604329109 CET	49713	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:31:41.608275890 CET	49713	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:31:41.608288050 CET	443	49713	104.21.32.1	192.168.2.5
Mar 7, 2025 08:31:41.620529890 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:32:44.226283073 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:32:44.226336002 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:32:46.575228930 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:32:46.575325966 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:19.230345964 CET	49708	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:19.236823082 CET	80	49708	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:19.370909929 CET	49710	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:19.416336060 CET	443	49710	104.21.32.1	192.168.2.5
Mar 7, 2025 08:33:19.442687988 CET	49729	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:19.452384949 CET	80	49729	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:19.453984022 CET	49729	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:19.453984976 CET	49729	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:19.459364891 CET	80	49729	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:20.135396957 CET	80	49729	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:20.141201973 CET	49730	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:20.141257048 CET	443	49730	104.21.32.1	192.168.2.5
Mar 7, 2025 08:33:20.141366005 CET	49730	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:20.141789913 CET	49730	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:20.141824961 CET	443	49730	104.21.32.1	192.168.2.5
Mar 7, 2025 08:33:20.183267117 CET	49729	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:21.606004953 CET	49711	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:21.611093998 CET	80	49711	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:21.612710953 CET	49713	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:21.618813992 CET	49731	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:21.624011993 CET	80	49731	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:21.624135017 CET	49731	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:21.624250889 CET	49731	80	192.168.2.5	132.226.247.73
Mar 7, 2025 08:33:21.629379034 CET	80	49731	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:21.656369925 CET	443	49713	104.21.32.1	192.168.2.5
Mar 7, 2025 08:33:22.328167915 CET	80	49731	132.226.247.73	192.168.2.5
Mar 7, 2025 08:33:22.332154036 CET	49732	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:22.332192898 CET	443	49732	104.21.32.1	192.168.2.5
Mar 7, 2025 08:33:22.332257986 CET	49732	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:22.332657099 CET	49732	443	192.168.2.5	104.21.32.1
Mar 7, 2025 08:33:22.332668066 CET	443	49732	104.21.32.1	192.168.2.5
Mar 7, 2025 08:33:22.369820118 CET	49731	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 08:31:38.169858932 CET	49315	53	192.168.2.5	1.1.1.1
Mar 7, 2025 08:31:38.177134037 CET	53	49315	1.1.1.1	192.168.2.5
Mar 7, 2025 08:31:39.296582937 CET	55420	53	192.168.2.5	1.1.1.1
Mar 7, 2025 08:31:39.315098047 CET	53	55420	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 08:31:38.169858932 CET	192.168.2.5	1.1.1.1	0xf76f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.296582937 CET	192.168.2.5	1.1.1.1	0x9735	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 08:31:38.177134037 CET	1.1.1.1	192.168.2.5	0xf76f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 08:31:38.177134037 CET	1.1.1.1	192.168.2.5	0xf76f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:38.177134037 CET	1.1.1.1	192.168.2.5	0xf76f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:38.177134037 CET	1.1.1.1	192.168.2.5	0xf76f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:38.177134037 CET	1.1.1.1	192.168.2.5	0xf76f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:38.177134037 CET	1.1.1.1	192.168.2.5	0xf76f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 08:31:39.315098047 CET	1.1.1.1	192.168.2.5	0x9735	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	132.226.247.73	80	3680	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 08:31:38.192492962 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 08:31:39.012908936 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 07:31:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 08:31:39.017469883 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 08:31:39.226174116 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 07:31:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	132.226.247.73	80	4580	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 08:31:40.680855989 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 08:31:41.362386942 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 07:31:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 08:31:41.365888119 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 08:31:41.573961973 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 07:31:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49729	132.226.247.73	80	3680	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 08:33:19.453984976 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 08:33:20.135396957 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 07:33:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49731	132.226.247.73	80	4580	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 08:33:21.624250889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 08:33:22.328167915 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 07:33:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Target ID:	0
Start time:	02:31:35
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1INVOICE4602-FMT25020147.scr.exe"
Imagebase:	0xb20000
File size:	708'616 bytes
MD5 hash:	96564260F9ABCAB539243AAE164715AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2098615391.0000000004705000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:31:36
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe"
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:31:36
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:31:36
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp2A88.tmp"
Imagebase:	0x130000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:31:36
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:31:36
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xfb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3303268355.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3305473597.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:31:37
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe
Imagebase:	0x4e0000
File size:	708'616 bytes
MD5 hash:	96564260F9ABCAB539243AAE164715AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2129360756.00000000040C6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 39%, ReversingLabs Detection: 33%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:31:37
Start date:	07/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:31:39
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GkrJfjIkIvsq" /XML "C:\Users\user\AppData\Local\Temp\tmp34AA.tmp"
Imagebase:	0x130000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:31:39
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:31:39
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x790000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3306199090.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1INVOICE4602-FMT25020147.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GkrJfjIkIvsq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1INVOICE4602-FMT25020147.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qcjrtbk.mls.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ao4bdkvr.eh4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpjewhhm.frc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gympkans.hts.psm1

C:\Users\user\AppData\Local\Temp\tmp2A88.tmp

C:\Users\user\AppData\Local\Temp\tmp34AA.tmp

C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe

C:\Users\user\AppData\Roaming\GkrJfjIkIvsq.exe:Zone.Identifier

Static File Info

Windows Analysis Report
z1INVOICE4602-FMT25020147.scr.exe