Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice- Trikaya Bio.exe

Overview

General Information

Sample name:Invoice- Trikaya Bio.exe
Analysis ID:1631507
MD5:a862497c8d7259be228a59e3b79e4cb3
SHA1:8aab6013aaaa09e3931adc366ccc7ec4b80f425a
SHA256:0f509d4c022c142dd43f6cdf4b3a23196a5ce9eac448a7540e9e8ad709de6ce2
Tags:exeInvoiceSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Invoice- Trikaya Bio.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\Invoice- Trikaya Bio.exe" MD5: A862497C8D7259BE228A59E3B79E4CB3)
    • RegSvcs.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\Invoice- Trikaya Bio.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8147359814:AAFqq1spFpNySus2Q92Z7HxFe84oTTR0k6o/sendMessage?chat_id=1166322455", "Token": "8147359814:AAFqq1spFpNySus2Q92Z7HxFe84oTTR0k6o", "Chat_id": "1166322455", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1490b:$a1: get_encryptedPassword
      • 0x14bf7:$a2: get_encryptedUsername
      • 0x14717:$a3: get_timePasswordChanged
      • 0x14812:$a4: get_passwordField
      • 0x14921:$a5: set_encryptedPassword
      • 0x15f88:$a7: get_logins
      • 0x15eeb:$a10: KeyLoggerEventArgs
      • 0x15b56:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x19972:$x1: $%SMTPDV$
      • 0x18298:$x2: $#TheHashHere%&
      • 0x1991a:$x3: %FTPDV$
      • 0x18238:$x4: $%TelegramDv$
      • 0x15b56:$x5: KeyLoggerEventArgs
      • 0x15eeb:$x5: KeyLoggerEventArgs
      • 0x1993e:$m2: Clipboard Logs ID
      • 0x19b72:$m2: Screenshot Logs ID
      • 0x19c82:$m2: keystroke Logs ID
      • 0x19f5c:$m3: SnakePW
      • 0x19b4a:$m4: \SnakeKeylogger\
      00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x14b0b:$a1: get_encryptedPassword
            • 0x14df7:$a2: get_encryptedUsername
            • 0x14917:$a3: get_timePasswordChanged
            • 0x14a12:$a4: get_passwordField
            • 0x14b21:$a5: set_encryptedPassword
            • 0x16188:$a7: get_logins
            • 0x160eb:$a10: KeyLoggerEventArgs
            • 0x15d56:$a11: KeyLoggerEventArgsEventHandler
            0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1c51e:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1b750:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x1bb83:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1cbc2:$a5: \Kometa\User Data\Default\Login Data
            0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x156e6:$s1: UnHook
            • 0x156ed:$s2: SetHook
            • 0x156f5:$s3: CallNextHook
            • 0x15702:$s4: _hook
            Click to see the 13 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T09:28:26.724046+010028033053Unknown Traffic192.168.2.649720104.21.32.1443TCP
            2025-03-07T09:28:29.828964+010028033053Unknown Traffic192.168.2.649727104.21.32.1443TCP
            2025-03-07T09:28:35.996792+010028033053Unknown Traffic192.168.2.649747104.21.32.1443TCP
            2025-03-07T09:28:39.178301+010028033053Unknown Traffic192.168.2.649755104.21.32.1443TCP
            2025-03-07T09:28:45.590472+010028033053Unknown Traffic192.168.2.662207104.21.32.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T09:28:21.519740+010028032742Potentially Bad Traffic192.168.2.649713132.226.8.16980TCP
            2025-03-07T09:28:24.472926+010028032742Potentially Bad Traffic192.168.2.649713132.226.8.16980TCP
            2025-03-07T09:28:27.597904+010028032742Potentially Bad Traffic192.168.2.649726132.226.8.16980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Invoice- Trikaya Bio.exeAvira: detected
            Found malware configuration
            Source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8147359814:AAFqq1spFpNySus2Q92Z7HxFe84oTTR0k6o/sendMessage?chat_id=1166322455", "Token": "8147359814:AAFqq1spFpNySus2Q92Z7HxFe84oTTR0k6o", "Chat_id": "1166322455", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: Invoice- Trikaya Bio.exeVirustotal: Detection: 47%Perma Link
            Source: Invoice- Trikaya Bio.exeReversingLabs: Detection: 62%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor: info@bondamit.shop
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor: payment1759
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor: bondamit.shop
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor: 143
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor:
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor: 8147359814:AAFqq1spFpNySus2Q92Z7HxFe84oTTR0k6o
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpackString decryptor: 1166322455

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Invoice- Trikaya Bio.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49714 version: TLS 1.0
            Source: Binary string: wntdll.pdbUGP source: Invoice- Trikaya Bio.exe, 00000000.00000003.2187449726.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2189220374.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Invoice- Trikaya Bio.exe, 00000000.00000003.2187449726.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2189220374.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B0445A
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0C6D1 FindFirstFileW,FindClose,0_2_00B0C6D1
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B0C75C
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B0EF95
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B0F0F2
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B0F3F3
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B037EF
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B03B12
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B0BCBC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 016AF1F6h2_2_016AF007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 016AFB80h2_2_016AF007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_016AE528
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_016AEB5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_016AED3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC8945h2_2_05AC8608
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC0FF1h2_2_05AC0D48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC8001h2_2_05AC7D58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC7751h2_2_05AC74A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC0741h2_2_05AC0498
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC6A21h2_2_05AC6778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC6171h2_2_05AC5EC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC58C1h2_2_05AC5618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC8459h2_2_05AC81B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC5441h2_2_05AC5198
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC7BA9h2_2_05AC7900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC0B99h2_2_05AC08F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC02E9h2_2_05AC0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC72FAh2_2_05AC7050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_05AC33A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_05AC33B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC6E79h2_2_05AC6BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC65C9h2_2_05AC6320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05AC5D19h2_2_05AC5A70
            Source: global trafficTCP traffic: 192.168.2.6:62192 -> 1.1.1.1:53
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49726 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49755 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49747 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49720 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:62207 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49727 -> 104.21.32.1:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49714 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00B122EE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: RegSvcs.exe, 00000002.00000002.4648373614.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003172000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031CA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000030D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RegSvcs.exe, 00000002.00000002.4648373614.0000000003115000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003172000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031CA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000030D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RegSvcs.exe, 00000002.00000002.4648373614.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: Invoice- Trikaya Bio.exe, 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: RegSvcs.exe, 00000002.00000002.4648373614.00000000031BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgP
            Source: RegSvcs.exe, 00000002.00000002.4648373614.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003172000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031CA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000030EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RegSvcs.exe, 00000002.00000002.4648373614.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 00000002.00000002.4648373614.0000000003115000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003172000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031CA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000030D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: Invoice- Trikaya Bio.exe, 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000030D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RegSvcs.exe, 00000002.00000002.4648373614.00000000030D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: RegSvcs.exe, 00000002.00000002.4648373614.0000000003115000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003172000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.00000000031CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 62199 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 62207 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62207
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62199
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B14164
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B14164
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B13F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B13F66
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00B0001C
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B2CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B2CABC

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: This is a third-party compiled AutoIt script.0_2_00AA3B3A
            Source: Invoice- Trikaya Bio.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Invoice- Trikaya Bio.exe, 00000000.00000000.2175785594.0000000000B54000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d5610ac9-c
            Source: Invoice- Trikaya Bio.exe, 00000000.00000000.2175785594.0000000000B54000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a99728d3-5
            Source: Invoice- Trikaya Bio.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d7a74392-4
            Source: Invoice- Trikaya Bio.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_224ac0a2-9
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Invoice- Trikaya Bio.exe
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00B0A1EF
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AF8310
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B051BD
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AAE6A00_2_00AAE6A0
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00ACD9750_2_00ACD975
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AAFCE00_2_00AAFCE0
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC21C50_2_00AC21C5
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD62D20_2_00AD62D2
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B203DA0_2_00B203DA
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD242E0_2_00AD242E
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC25FA0_2_00AC25FA
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB66E10_2_00AB66E1
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AFE6160_2_00AFE616
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD878F0_2_00AD878F
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B088890_2_00B08889
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB88080_2_00AB8808
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B208570_2_00B20857
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD68440_2_00AD6844
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00ACCB210_2_00ACCB21
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD6DB60_2_00AD6DB6
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB6F9E0_2_00AB6F9E
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB30300_2_00AB3030
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC31870_2_00AC3187
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00ACF1D90_2_00ACF1D9
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA12870_2_00AA1287
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC14840_2_00AC1484
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB55200_2_00AB5520
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC76960_2_00AC7696
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB57600_2_00AB5760
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC19780_2_00AC1978
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD9AB50_2_00AD9AB5
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00ACBDA60_2_00ACBDA6
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC1D900_2_00AC1D90
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B27DDB0_2_00B27DDB
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AB3FE00_2_00AB3FE0
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AADF000_2_00AADF00
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_012658000_2_01265800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A61082_2_016A6108
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AC1902_2_016AC190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AF0072_2_016AF007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AB3282_2_016AB328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AC4702_2_016AC470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AC7512_2_016AC751
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A98582_2_016A9858
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A68802_2_016A6880
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016ABBD22_2_016ABBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016ACA312_2_016ACA31
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A4AD92_2_016A4AD9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016ABEB02_2_016ABEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A35702_2_016A3570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AE5282_2_016AE528
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AE5172_2_016AE517
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016AB4F22_2_016AB4F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACBD382_2_05ACBD38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACA4082_2_05ACA408
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACB6E82_2_05ACB6E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC86082_2_05AC8608
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACD6702_2_05ACD670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACC9D82_2_05ACC9D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACB0A02_2_05ACB0A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACD0282_2_05ACD028
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACC3882_2_05ACC388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC8B582_2_05AC8B58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACAA582_2_05ACAA58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC85FC2_2_05AC85FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACBD282_2_05ACBD28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC0D392_2_05AC0D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC0D482_2_05AC0D48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC7D482_2_05AC7D48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC7D582_2_05AC7D58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC74A82_2_05AC74A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC04882_2_05AC0488
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC04982_2_05AC0498
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC74972_2_05AC7497
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC44302_2_05AC4430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC37302_2_05AC3730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC676A2_2_05AC676A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC67782_2_05AC6778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC5EB82_2_05AC5EB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC5EC82_2_05AC5EC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACB6D92_2_05ACB6D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC560A2_2_05AC560A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC56182_2_05AC5618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACD6622_2_05ACD662
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC11A02_2_05AC11A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC81A02_2_05AC81A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC81B02_2_05AC81B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC518A2_2_05AC518A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC51982_2_05AC5198
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC11912_2_05AC1191
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACC9C82_2_05ACC9C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC79002_2_05AC7900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACB08F2_2_05ACB08F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC08E02_2_05AC08E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC08F02_2_05AC08F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC78F02_2_05AC78F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC00062_2_05AC0006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC28072_2_05AC2807
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC28182_2_05AC2818
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACD0182_2_05ACD018
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC00402_2_05AC0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC70402_2_05AC7040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC70502_2_05AC7050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC33A82_2_05AC33A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC33B82_2_05AC33B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACA3F82_2_05ACA3F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC6BC12_2_05AC6BC1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC6BD02_2_05AC6BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC63202_2_05AC6320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC63122_2_05AC6312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACC3782_2_05ACC378
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC5A602_2_05AC5A60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05AC5A702_2_05AC5A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05ACAA4F2_2_05ACAA4F
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: String function: 00AC0AE3 appears 70 times
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: String function: 00AA7DE1 appears 36 times
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: String function: 00AC8900 appears 42 times
            Source: Invoice- Trikaya Bio.exe, 00000000.00000003.2190056002.0000000003F4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Invoice- Trikaya Bio.exe
            Source: Invoice- Trikaya Bio.exe, 00000000.00000003.2187959158.0000000003DA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Invoice- Trikaya Bio.exe
            Source: Invoice- Trikaya Bio.exe, 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Invoice- Trikaya Bio.exe
            Source: Invoice- Trikaya Bio.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, ---.csBase64 encoded string: 'XgJjNCsN/UoYT5WGlZ0X0S/BBm0+QtZsfrzTD/i5uw5Pt87U09b7Gzi9hGVQno7Q'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0A06A GetLastError,FormatMessageW,0_2_00B0A06A
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF81CB AdjustTokenPrivileges,CloseHandle,0_2_00AF81CB
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AF87E1
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B0B3FB
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B1EE0D
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00B183BB
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00AA4E89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeFile created: C:\Users\user\AppData\Local\Temp\autB98F.tmpJump to behavior
            Source: Invoice- Trikaya Bio.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RegSvcs.exe, 00000002.00000002.4648373614.000000000323F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003285000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000325D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4649734311.0000000004099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4648373614.0000000003291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Invoice- Trikaya Bio.exeVirustotal: Detection: 47%
            Source: Invoice- Trikaya Bio.exeReversingLabs: Detection: 62%
            Source: unknownProcess created: C:\Users\user\Desktop\Invoice- Trikaya Bio.exe "C:\Users\user\Desktop\Invoice- Trikaya Bio.exe"
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Invoice- Trikaya Bio.exe"
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Invoice- Trikaya Bio.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Invoice- Trikaya Bio.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: Invoice- Trikaya Bio.exe, 00000000.00000003.2187449726.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2189220374.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Invoice- Trikaya Bio.exe, 00000000.00000003.2187449726.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2189220374.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
            Source: Invoice- Trikaya Bio.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Invoice- Trikaya Bio.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Invoice- Trikaya Bio.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Invoice- Trikaya Bio.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Invoice- Trikaya Bio.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA4B37 LoadLibraryA,GetProcAddress,0_2_00AA4B37
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC8945 push ecx; ret 0_2_00AC8958
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A3146 push 00000001h; retf 2_2_016A3190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A3192 push 00000001h; retf 2_2_016A31DC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A3062 push 00000001h; retf 2_2_016A30AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A304A push 00000001h; retf 2_2_016A3060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A300F push 00000001h; retf 2_2_016A30AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A30AE push 00000001h; retf 2_2_016A30F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A30AE push 00000001h; retf 2_2_016A3144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A3276 push 00000001h; retf 2_2_016A32C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A322A push 00000001h; retf 2_2_016A3274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A3212 push 00000001h; retf 2_2_016A3228
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A32C2 push 00000001h; retf 2_2_016A330C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016A24B9 push 8BFFFFFFh; retf 2_2_016A24BF
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00AA48D7
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B25376
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AC3187
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeAPI/Special instruction interceptor: Address: 1265424
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Invoice- Trikaya Bio.exe, 00000000.00000003.2177333381.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2180845631.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2180416186.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2177701181.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2181120893.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2177258450.0000000001277000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000002.2199312496.00000000012A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599400Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599294Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595208Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1889Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7917Jump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-106215
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeAPI coverage: 4.5 %
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B0445A
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0C6D1 FindFirstFileW,FindClose,0_2_00B0C6D1
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B0C75C
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B0EF95
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B0F0F2
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B0F3F3
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B037EF
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B03B12
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B0BCBC
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA49A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599400Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599294Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595208Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594829Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594704Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594079Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593954Jump to behavior
            Source: RegSvcs.exe, 00000002.00000002.4647330732.00000000012F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeAPI call chain: ExitProcess graph end nodegraph_0-104626
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B13F09 BlockInput,0_2_00B13F09
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AA3B3A
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00AD5A7C
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA4B37 LoadLibraryA,GetProcAddress,0_2_00AA4B37
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_01264010 mov eax, dword ptr fs:[00000030h]0_2_01264010
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_01265690 mov eax, dword ptr fs:[00000030h]0_2_01265690
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_012656F0 mov eax, dword ptr fs:[00000030h]0_2_012656F0
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00AF80A9
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00ACA124 SetUnhandledExceptionFilter,0_2_00ACA124
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00ACA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ACA155
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F61008Jump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF87B1 LogonUserW,0_2_00AF87B1
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AA3B3A
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00AA48D7
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B04C27 mouse_event,0_2_00B04C27
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Invoice- Trikaya Bio.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00AF7CAF
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AF874B
            Source: Invoice- Trikaya Bio.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Invoice- Trikaya Bio.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AC862B cpuid 0_2_00AC862B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AD4E87
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AE1E06 GetUserNameW,0_2_00AE1E06
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00AD3F3A
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00AA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA49A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Invoice- Trikaya Bio.exe, 00000000.00000003.2177333381.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2180845631.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2180416186.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2177701181.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2181120893.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000003.2177258450.0000000001277000.00000004.00000020.00020000.00000000.sdmp, Invoice- Trikaya Bio.exe, 00000000.00000002.2199312496.00000000012A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4648373614.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4648373614.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Invoice- Trikaya Bio.exeBinary or memory string: WIN_81
            Source: Invoice- Trikaya Bio.exeBinary or memory string: WIN_XP
            Source: Invoice- Trikaya Bio.exeBinary or memory string: WIN_XPe
            Source: Invoice- Trikaya Bio.exeBinary or memory string: WIN_VISTA
            Source: Invoice- Trikaya Bio.exeBinary or memory string: WIN_7
            Source: Invoice- Trikaya Bio.exeBinary or memory string: WIN_8
            Source: Invoice- Trikaya Bio.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
            Source: Yara matchFile source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice- Trikaya Bio.exe.1ef0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.4646941144.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2199589335.0000000001EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4648373614.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4648373614.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice- Trikaya Bio.exe PID: 5476, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6412, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B16283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00B16283
            Source: C:\Users\user\Desktop\Invoice- Trikaya Bio.exeCode function: 0_2_00B16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B16747

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts            		31
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS127
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		2
            Valid Accounts            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Virtualization/Sandbox Evasion            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
            Process Injection            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.