Edit tour

Windows Analysis Report
Way bill & Invoice.exe

Overview

General Information

Sample name:	Way bill & Invoice.exe
Analysis ID:	1635983
MD5:	cc33ef2bdc7c22e96a898ffb4c695e26
SHA1:	45ef5872d48a4dee3c6f22b5c2fe79e355791c55
SHA256:	0c44b7da727d77d876e583f808b0673875fa804a47d62aab624e69174fa7e851
Tags:	exeInvoiceSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Way bill & Invoice.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\Way bill & Invoice.exe" MD5: CC33EF2BDC7C22E96A898FFB4C695E26)

RegSvcs.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\Way bill & Invoice.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7604423611:AAFExAEucjbFbrODZM48wHkTl9OS3w9BAGE/sendMessage?chat_id=1166322455", "Token": "7604423611:AAFExAEucjbFbrODZM48wHkTl9OS3w9BAGE", "Chat_id": "1166322455", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148aa:$a1: get_encryptedPassword 0x14b96:$a2: get_encryptedUsername 0x146b6:$a3: get_timePasswordChanged 0x147b1:$a4: get_passwordField 0x148c0:$a5: set_encryptedPassword 0x15f39:$a7: get_logins 0x15e9c:$a10: KeyLoggerEventArgs 0x15b07:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198bc:$x1: $%SMTPDV$ 0x182a0:$x2: $#TheHashHere%& 0x19864:$x3: %FTPDV$ 0x18240:$x4: $%TelegramDv$ 0x15b07:$x5: KeyLoggerEventArgs 0x15e9c:$x5: KeyLoggerEventArgs 0x19888:$m2: Clipboard Logs ID 0x19ac6:$m2: Screenshot Logs ID 0x19bd6:$m2: keystroke Logs ID 0x19eb0:$m3: SnakePW 0x19a9e:$m4: \SnakeKeylogger\
00000001.00000002.3396203892.0000000002D29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aaa:$a1: get_encryptedPassword 0x14d96:$a2: get_encryptedUsername 0x148b6:$a3: get_timePasswordChanged 0x149b1:$a4: get_passwordField 0x14ac0:$a5: set_encryptedPassword 0x16139:$a7: get_logins 0x1609c:$a10: KeyLoggerEventArgs 0x15d07:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c472:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bad7:$a4: \Orbitum\User Data\Default\Login Data 0x1cb16:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156a2:$s1: UnHook 0x156a9:$s2: SetHook 0x156b1:$s3: CallNextHook 0x156be:$s4: _hook
00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19abc:$x1: $%SMTPDV$ 0x184a0:$x2: $#TheHashHere%& 0x19a64:$x3: %FTPDV$ 0x18440:$x4: $%TelegramDv$ 0x15d07:$x5: KeyLoggerEventArgs 0x1609c:$x5: KeyLoggerEventArgs 0x19a88:$m2: Clipboard Logs ID 0x19cc6:$m2: Screenshot Logs ID 0x19dd6:$m2: keystroke Logs ID 0x1a0b0:$m3: SnakePW 0x19c9e:$m4: \SnakeKeylogger\
00000001.00000002.3396203892.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Way bill & Invoice.exe PID: 7164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Way bill & Invoice.exe PID: 7164	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Way bill & Invoice.exe PID: 7164	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1edaa5:$a1: get_encryptedPassword 0x1edd87:$a2: get_encryptedUsername 0x1ed8bb:$a3: get_timePasswordChanged 0x1ed9b6:$a4: get_passwordField 0x1edabb:$a5: set_encryptedPassword 0x1eff92:$a7: get_logins 0x1efef5:$a10: KeyLoggerEventArgs 0x1efb60:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Way bill & Invoice.exe PID: 7164	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1efb60:$x5: KeyLoggerEventArgs 0x1efef5:$x5: KeyLoggerEventArgs 0x1f07fc:$x5: KeyLoggerEventArgs 0x1f0b5d:$x5: KeyLoggerEventArgs 0x1f2121:$m2: Clipboard Logs ID 0x1f2227:$m2: Screenshot Logs ID 0x1f227d:$m2: keystroke Logs ID 0x1f23b2:$m3: SnakePW 0x1f2213:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 6272	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6272	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6272	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1df8c:$a1: get_encryptedPassword 0x1e26e:$a2: get_encryptedUsername 0x1dda2:$a3: get_timePasswordChanged 0x1de9d:$a4: get_passwordField 0x1dfa2:$a5: set_encryptedPassword 0x20479:$a7: get_logins 0x203dc:$a10: KeyLoggerEventArgs 0x20047:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6272	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x20047:$x5: KeyLoggerEventArgs 0x203dc:$x5: KeyLoggerEventArgs 0x20ce3:$x5: KeyLoggerEventArgs 0x21044:$x5: KeyLoggerEventArgs 0x22608:$m2: Clipboard Logs ID 0x2270e:$m2: Screenshot Logs ID 0x22764:$m2: keystroke Logs ID 0x22899:$m3: SnakePW 0x226fa:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Way bill & Invoice.exe.3e50000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Way bill & Invoice.exe.3e50000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Way bill & Invoice.exe.3e50000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12caa:$a1: get_encryptedPassword 0x12f96:$a2: get_encryptedUsername 0x12ab6:$a3: get_timePasswordChanged 0x12bb1:$a4: get_passwordField 0x12cc0:$a5: set_encryptedPassword 0x14339:$a7: get_logins 0x1429c:$a10: KeyLoggerEventArgs 0x13f07:$a11: KeyLoggerEventArgsEventHandler
0.2.Way bill & Invoice.exe.3e50000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a672:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cd7:$a4: \Orbitum\User Data\Default\Login Data 0x1ad16:$a5: \Kometa\User Data\Default\Login Data
0.2.Way bill & Invoice.exe.3e50000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138a2:$s1: UnHook 0x138a9:$s2: SetHook 0x138b1:$s3: CallNextHook 0x138be:$s4: _hook
0.2.Way bill & Invoice.exe.3e50000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cbc:$x1: $%SMTPDV$ 0x166a0:$x2: $#TheHashHere%& 0x17c64:$x3: %FTPDV$ 0x16640:$x4: $%TelegramDv$ 0x13f07:$x5: KeyLoggerEventArgs 0x1429c:$x5: KeyLoggerEventArgs 0x17c88:$m2: Clipboard Logs ID 0x17ec6:$m2: Screenshot Logs ID 0x17fd6:$m2: keystroke Logs ID 0x182b0:$m3: SnakePW 0x17e9e:$m4: \SnakeKeylogger\
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aaa:$a1: get_encryptedPassword 0x14d96:$a2: get_encryptedUsername 0x148b6:$a3: get_timePasswordChanged 0x149b1:$a4: get_passwordField 0x14ac0:$a5: set_encryptedPassword 0x16139:$a7: get_logins 0x1609c:$a10: KeyLoggerEventArgs 0x15d07:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c472:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bad7:$a4: \Orbitum\User Data\Default\Login Data 0x1cb16:$a5: \Kometa\User Data\Default\Login Data
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156a2:$s1: UnHook 0x156a9:$s2: SetHook 0x156b1:$s3: CallNextHook 0x156be:$s4: _hook
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19abc:$x1: $%SMTPDV$ 0x184a0:$x2: $#TheHashHere%& 0x19a64:$x3: %FTPDV$ 0x18440:$x4: $%TelegramDv$ 0x15d07:$x5: KeyLoggerEventArgs 0x1609c:$x5: KeyLoggerEventArgs 0x19a88:$m2: Clipboard Logs ID 0x19cc6:$m2: Screenshot Logs ID 0x19dd6:$m2: keystroke Logs ID 0x1a0b0:$m3: SnakePW 0x19c9e:$m4: \SnakeKeylogger\
0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aaa:$a1: get_encryptedPassword 0x14d96:$a2: get_encryptedUsername 0x148b6:$a3: get_timePasswordChanged 0x149b1:$a4: get_passwordField 0x14ac0:$a5: set_encryptedPassword 0x16139:$a7: get_logins 0x1609c:$a10: KeyLoggerEventArgs 0x15d07:$a11: KeyLoggerEventArgsEventHandler
0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c472:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bad7:$a4: \Orbitum\User Data\Default\Login Data 0x1cb16:$a5: \Kometa\User Data\Default\Login Data
0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156a2:$s1: UnHook 0x156a9:$s2: SetHook 0x156b1:$s3: CallNextHook 0x156be:$s4: _hook
0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19abc:$x1: $%SMTPDV$ 0x184a0:$x2: $#TheHashHere%& 0x19a64:$x3: %FTPDV$ 0x18440:$x4: $%TelegramDv$ 0x15d07:$x5: KeyLoggerEventArgs 0x1609c:$x5: KeyLoggerEventArgs 0x19a88:$m2: Clipboard Logs ID 0x19cc6:$m2: Screenshot Logs ID 0x19dd6:$m2: keystroke Logs ID 0x1a0b0:$m3: SnakePW 0x19c9e:$m4: \SnakeKeylogger\
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T09:28:30.139865+0100	2803305	3	Unknown Traffic	192.168.2.7	49686	104.21.96.1	443	TCP
2025-03-12T09:28:34.560540+0100	2803305	3	Unknown Traffic	192.168.2.7	49689	104.21.96.1	443	TCP
2025-03-12T09:28:37.852822+0100	2803305	3	Unknown Traffic	192.168.2.7	49695	104.21.96.1	443	TCP
2025-03-12T09:28:41.208663+0100	2803305	3	Unknown Traffic	192.168.2.7	49697	104.21.96.1	443	TCP
2025-03-12T09:28:44.399947+0100	2803305	3	Unknown Traffic	192.168.2.7	49699	104.21.96.1	443	TCP
2025-03-12T09:28:47.575700+0100	2803305	3	Unknown Traffic	192.168.2.7	49701	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T09:28:12.234262+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49682	172.67.74.152	443	TCP
2025-03-12T09:28:24.570251+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	193.122.6.168	80	TCP
2025-03-12T09:28:27.867107+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	193.122.6.168	80	TCP
2025-03-12T09:28:30.851537+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49688	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Way bill & Invoice.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7604423611:AAFExAEucjbFbrODZM48wHkTl9OS3w9BAGE/sendMessage?chat_id=1166322455", "Token": "7604423611:AAFExAEucjbFbrODZM48wHkTl9OS3w9BAGE", "Chat_id": "1166322455", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Way bill & Invoice.exe	Virustotal: Detection: 53%			Perma Link
Source: Way bill & Invoice.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 1.2.RegSvcs.exe.400000.0.unpack	String decryptor:
Source: 1.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7604423611:AAFExAEucjbFbrODZM48wHkTl9OS3w9BAGE
Source: 1.2.RegSvcs.exe.400000.0.unpack	String decryptor: 1166322455

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Way bill & Invoice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49685 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: Way bill & Invoice.exe, 00000000.00000003.938840513.0000000004050000.00000004.00001000.00020000.00000000.sdmp, Way bill & Invoice.exe, 00000000.00000003.939113401.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Way bill & Invoice.exe, 00000000.00000003.938840513.0000000004050000.00000004.00001000.00020000.00000000.sdmp, Way bill & Invoice.exe, 00000000.00000003.939113401.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003F445A
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FC6D1 FindFirstFileW,FindClose,	0_2_003FC6D1
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003FC75C
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FEF95
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FF0F2
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FF3F3
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F37EF
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F3B12
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FBCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00EBF1F6h	1_2_00EBF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00EBFB80h	1_2_00EBF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_00EBE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05728945h	1_2_05728608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05728001h	1_2_05727D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05720FF1h	1_2_05720D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05727BA9h	1_2_05727900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05728459h	1_2_057281B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05725441h	1_2_05725198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057272FAh	1_2_05727050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057202E9h	1_2_05720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05720B99h	1_2_057208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05727751h	1_2_057274A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05720741h	1_2_05720498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05726A21h	1_2_05726778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057265C9h	1_2_05726320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05726E79h	1_2_05726BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_057233B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_057233A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05725D19h	1_2_05725A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057258C1h	1_2_05725618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05726171h	1_2_05725EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_057236CE

Source: global traffic

TCP traffic: 192.168.2.7:63825 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49688 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49686 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49682 -> 172.67.74.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49699 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49697 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49689 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49695 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49685 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_004022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004022EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 197.87.175.4.in-addr.arpa

Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000001.00000002.3397774142.00000000061E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/V
Source: Way bill & Invoice.exe, 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Way bill & Invoice.exe, 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002C23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00404164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00404164

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00404164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00404164

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00403F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00403F66

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_003F001C

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_0041CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0041CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00393B3A
Source: Way bill & Invoice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Way bill & Invoice.exe, 00000000.00000000.925850418.0000000000444000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a5cfc008-0
Source: Way bill & Invoice.exe, 00000000.00000000.925850418.0000000000444000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_65f935fc-a
Source: Way bill & Invoice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6849a89a-f
Source: Way bill & Invoice.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d338a36e-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Way bill & Invoice.exe

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003FA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_003FA1EF

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003E8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_003E8310

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003F51BD

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003BD975	0_2_003BD975
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B21C5	0_2_003B21C5
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003C62D2	0_2_003C62D2
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_004103DA	0_2_004103DA
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003C242E	0_2_003C242E
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B25FA	0_2_003B25FA
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003EE616	0_2_003EE616
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_0039E6A0	0_2_0039E6A0
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A66E1	0_2_003A66E1
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003C878F	0_2_003C878F
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_00410857	0_2_00410857
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A8808	0_2_003A8808
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003C6844	0_2_003C6844
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F8889	0_2_003F8889
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003BCB21	0_2_003BCB21
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003C6DB6	0_2_003C6DB6
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A6F9E	0_2_003A6F9E
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A3030	0_2_003A3030
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B3187	0_2_003B3187
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003BF1D9	0_2_003BF1D9
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_00391287	0_2_00391287
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B1484	0_2_003B1484
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A5520	0_2_003A5520
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B7696	0_2_003B7696
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A5760	0_2_003A5760
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B1978	0_2_003B1978
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003C9AB5	0_2_003C9AB5
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_0039FCE0	0_2_0039FCE0
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_00417DDB	0_2_00417DDB
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003BBDA6	0_2_003BBDA6
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B1D90	0_2_003B1D90
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_0039DF00	0_2_0039DF00
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003A3FE0	0_2_003A3FE0
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_01643818	0_2_01643818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBF007	1_2_00EBF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBC192	1_2_00EBC192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBB328	1_2_00EBB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBC470	1_2_00EBC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBC752	1_2_00EBC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EB6730	1_2_00EB6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EB9858	1_2_00EB9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EB4AD9	1_2_00EB4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBCA32	1_2_00EBCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBBBD2	1_2_00EBBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBBEB2	1_2_00EBBEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBB4F2	1_2_00EBB4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EB3572	1_2_00EB3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBE528	1_2_00EBE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EBE517	1_2_00EBE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572BD38	1_2_0572BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572C9D8	1_2_0572C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05728C51	1_2_05728C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572D028	1_2_0572D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572A408	1_2_0572A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572B0A0	1_2_0572B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572C388	1_2_0572C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572D670	1_2_0572D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572AA58	1_2_0572AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05728608	1_2_05728608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572B6E8	1_2_0572B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05727D58	1_2_05727D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05720D48	1_2_05720D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05727D48	1_2_05727D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05720D39	1_2_05720D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572BD2B	1_2_0572BD2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05727900	1_2_05727900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057285F8	1_2_057285F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572C9C8	1_2_0572C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057281B0	1_2_057281B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057211A0	1_2_057211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057281A0	1_2_057281A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05725198	1_2_05725198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572518B	1_2_0572518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05727050	1_2_05727050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05720040	1_2_05720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572704B	1_2_0572704B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05724430	1_2_05724430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05722818	1_2_05722818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572D018	1_2_0572D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05720007	1_2_05720007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05722807	1_2_05722807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057208F0	1_2_057208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057278F0	1_2_057278F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057208E0	1_2_057208E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057274A8	1_2_057274A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572B090	1_2_0572B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05727497	1_2_05727497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05720498	1_2_05720498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05720488	1_2_05720488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05726778	1_2_05726778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572C378	1_2_0572C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572676B	1_2_0572676B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05726320	1_2_05726320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05726313	1_2_05726313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572A3F8	1_2_0572A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05726BD0	1_2_05726BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05726BC1	1_2_05726BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057233B8	1_2_057233B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_057233A8	1_2_057233A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05725A70	1_2_05725A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572D662	1_2_0572D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05725A60	1_2_05725A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572AA48	1_2_0572AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05725618	1_2_05725618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572560B	1_2_0572560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572B6D9	1_2_0572B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05725EC8	1_2_05725EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05725EB8	1_2_05725EB8

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: String function: 00397DE1 appears 35 times
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: String function: 003B0AE3 appears 70 times
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: String function: 003B8900 appears 42 times

Source: Way bill & Invoice.exe, 00000000.00000003.937687734.0000000003FA3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Way bill & Invoice.exe
Source: Way bill & Invoice.exe, 00000000.00000003.937430812.000000000414D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Way bill & Invoice.exe
Source: Way bill & Invoice.exe, 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Way bill & Invoice.exe

Source: Way bill & Invoice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, cZ-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, cZ-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, cZ-.cs

Base64 encoded string: 'mAe3Cur1u4Pc5tpm19itaXnW96yikFvh/5H/LxtdsURxTl3YAf0auKUtc1fh32Xg'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@4/2

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003FA06A GetLastError,FormatMessageW,

0_2_003FA06A

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003E81CB AdjustTokenPrivileges,CloseHandle,		0_2_003E81CB
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003E87E1

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003FB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003FB333

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_0040EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0040EE0D

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003FC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_003FC397

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00394E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00394E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

File created: C:\Users\user~1\AppData\Local\Temp\autE895.tmp

Jump to behavior

Source: Way bill & Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3396203892.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3397238863.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3396203892.0000000002D92000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Way bill & Invoice.exe	Virustotal: Detection: 53%
Source: Way bill & Invoice.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\Way bill & Invoice.exe "C:\Users\user\Desktop\Way bill & Invoice.exe"
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Way bill & Invoice.exe"
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Way bill & Invoice.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Way bill & Invoice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Way bill & Invoice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Way bill & Invoice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Way bill & Invoice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Way bill & Invoice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Way bill & Invoice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Way bill & Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Way bill & Invoice.exe, 00000000.00000003.938840513.0000000004050000.00000004.00001000.00020000.00000000.sdmp, Way bill & Invoice.exe, 00000000.00000003.939113401.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Way bill & Invoice.exe, 00000000.00000003.938840513.0000000004050000.00000004.00001000.00020000.00000000.sdmp, Way bill & Invoice.exe, 00000000.00000003.939113401.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp

Source: Way bill & Invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Way bill & Invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Way bill & Invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Way bill & Invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Way bill & Invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00394B37 LoadLibraryA,GetProcAddress,

0_2_00394B37

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_0039C508 push A30039BAh; retn 0039h	0_2_0039C50D
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003B8945 push ecx; ret	0_2_003B8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00EB24B9 push 8BFFFFFFh; retf	1_2_00EB24BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0572393E push cs; iretd	1_2_0572393F

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003948D7
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_00415376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00415376

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003B3187

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

API/Special instruction interceptor: Address: 164343C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598490	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596340	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594438	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1493			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8358			Jump to behavior

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102540

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003F445A
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FC6D1 FindFirstFileW,FindClose,	0_2_003FC6D1
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003FC75C
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FEF95
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FF0F2
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FF3F3
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F37EF
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F3B12
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FBCBC

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003949A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598490	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596340	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594438	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3395187354.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00403F09 BlockInput,

0_2_00403F09

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00393B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00393B3A

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_003C5A7C

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00394B37 LoadLibraryA,GetProcAddress,

0_2_00394B37

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_01642068 mov eax, dword ptr fs:[00000030h]	0_2_01642068
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_01643708 mov eax, dword ptr fs:[00000030h]	0_2_01643708
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_016436A8 mov eax, dword ptr fs:[00000030h]	0_2_016436A8

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003E80A9

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003BA124 SetUnhandledExceptionFilter,		0_2_003BA124
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_003BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_003BA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 81B008

Jump to behavior

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003E87B1 LogonUserW,

0_2_003E87B1

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_00393B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00393B3A

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003948D7

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003F4C27 mouse_event,

0_2_003F4C27

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Way bill & Invoice.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003E7CAF

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003E874B

Source: Way bill & Invoice.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Way bill & Invoice.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003B862B cpuid

0_2_003B862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003C4E87

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003D1E06 GetUserNameW,

0_2_003D1E06

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_003C3F3A

Source: C:\Users\user\Desktop\Way bill & Invoice.exe

Code function: 0_2_003949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003949A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3396203892.0000000002D29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3396203892.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Way bill & Invoice.exe	Binary or memory string: WIN_81
Source: Way bill & Invoice.exe	Binary or memory string: WIN_XP
Source: Way bill & Invoice.exe	Binary or memory string: WIN_XPe
Source: Way bill & Invoice.exe	Binary or memory string: WIN_VISTA
Source: Way bill & Invoice.exe	Binary or memory string: WIN_7
Source: Way bill & Invoice.exe	Binary or memory string: WIN_8
Source: Way bill & Invoice.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Way bill & Invoice.exe.3e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Way bill & Invoice.exe.3e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3394342101.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3396203892.0000000002D29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.940469056.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3396203892.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Way bill & Invoice.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6272, type: MEMORYSTR

Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_00406283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00406283
Source: C:\Users\user\Desktop\Way bill & Invoice.exe	Code function: 0_2_00406747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00406747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Way bill & Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Way bill & Invoice.exe