Edit tour

Windows Analysis Report
Payment slip.exe

Overview

General Information

Sample name:	Payment slip.exe
Analysis ID:	1638158
MD5:	17669e24a399028c85b83b759a06f785
SHA1:	d153f832f3f531d35782cfa47456b4d3b4ae1e6a
SHA256:	f044b5d05d7ba6db1b4145a880af916645f2c3e1c28341cee79021ffedb4d1a9
Tags:	exeuser-julianmckein
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment slip.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Payment slip.exe" MD5: 17669E24A399028C85B83B759A06F785)

Payment slip.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\Payment slip.exe" MD5: 17669E24A399028C85B83B759A06F785)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8001882214:AAFYbuE3sctUsMptRg6i8B28zD_AOK7mrvg/sendMessage?chat_id=6090860697", "Token": "8001882214:AAFYbuE3sctUsMptRg6i8B28zD_AOK7mrvg", "Chat_id": "6090860697", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148e0:$a1: get_encryptedPassword 0x14bcc:$a2: get_encryptedUsername 0x146ec:$a3: get_timePasswordChanged 0x147e7:$a4: get_passwordField 0x148f6:$a5: set_encryptedPassword 0x15f4c:$a7: get_logins 0x15eaf:$a10: KeyLoggerEventArgs 0x15b1a:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c4:$x1: $%SMTPDV$ 0x182a8:$x2: $#TheHashHere%& 0x1986c:$x3: %FTPDV$ 0x18248:$x4: $%TelegramDv$ 0x15b1a:$x5: KeyLoggerEventArgs 0x15eaf:$x5: KeyLoggerEventArgs 0x19890:$m2: Clipboard Logs ID 0x19ace:$m2: Screenshot Logs ID 0x19bde:$m2: keystroke Logs ID 0x19eb8:$m3: SnakePW 0x19aa6:$m4: \SnakeKeylogger\
00000003.00000002.3660519204.000000000328F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x285df0:$a1: get_encryptedPassword 0x2a6810:$a1: get_encryptedPassword 0x2c7030:$a1: get_encryptedPassword 0x2860dc:$a2: get_encryptedUsername 0x2a6afc:$a2: get_encryptedUsername 0x2c731c:$a2: get_encryptedUsername 0x285bfc:$a3: get_timePasswordChanged 0x2a661c:$a3: get_timePasswordChanged 0x2c6e3c:$a3: get_timePasswordChanged 0x285cf7:$a4: get_passwordField 0x2a6717:$a4: get_passwordField 0x2c6f37:$a4: get_passwordField 0x285e06:$a5: set_encryptedPassword 0x2a6826:$a5: set_encryptedPassword 0x2c7046:$a5: set_encryptedPassword 0x28745c:$a7: get_logins 0x2a7e7c:$a7: get_logins 0x2c869c:$a7: get_logins 0x2873bf:$a10: KeyLoggerEventArgs 0x2a7ddf:$a10: KeyLoggerEventArgs 0x2c85ff:$a10: KeyLoggerEventArgs
00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28add4:$x1: $%SMTPDV$ 0x2ab7f4:$x1: $%SMTPDV$ 0x2cc014:$x1: $%SMTPDV$ 0x2897b8:$x2: $#TheHashHere%& 0x2aa1d8:$x2: $#TheHashHere%& 0x2ca9f8:$x2: $#TheHashHere%& 0x28ad7c:$x3: %FTPDV$ 0x2ab79c:$x3: %FTPDV$ 0x2cbfbc:$x3: %FTPDV$ 0x289758:$x4: $%TelegramDv$ 0x2aa178:$x4: $%TelegramDv$ 0x2ca998:$x4: $%TelegramDv$ 0x28702a:$x5: KeyLoggerEventArgs 0x2873bf:$x5: KeyLoggerEventArgs 0x2a7a4a:$x5: KeyLoggerEventArgs 0x2a7ddf:$x5: KeyLoggerEventArgs 0x2c826a:$x5: KeyLoggerEventArgs 0x2c85ff:$x5: KeyLoggerEventArgs 0x28ada0:$m2: Clipboard Logs ID 0x28afde:$m2: Screenshot Logs ID 0x28b0ee:$m2: keystroke Logs ID
Process Memory Space: Payment slip.exe PID: 7528	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment slip.exe PID: 7528	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment slip.exe PID: 7528	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x69fbd:$a1: get_encryptedPassword 0x6a1b2:$a2: get_encryptedUsername 0x69de6:$a3: get_timePasswordChanged 0x69ed5:$a4: get_passwordField 0x69fd3:$a5: set_encryptedPassword 0x6bf70:$a7: get_logins 0x6bee8:$a10: KeyLoggerEventArgs 0x6bc73:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Payment slip.exe PID: 7528	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6bc73:$x5: KeyLoggerEventArgs 0x6bee8:$x5: KeyLoggerEventArgs 0x6c70d:$x5: KeyLoggerEventArgs 0x6ca6e:$x5: KeyLoggerEventArgs 0x6dfe2:$m2: Clipboard Logs ID 0x6e0e8:$m2: Screenshot Logs ID 0x6e13e:$m2: keystroke Logs ID 0x6e273:$m3: SnakePW 0x6e0d4:$m4: \SnakeKeylogger\
Process Memory Space: Payment slip.exe PID: 7692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment slip.exe PID: 7692	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment slip.exe PID: 7692	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2043e:$a1: get_encryptedPassword 0x20720:$a2: get_encryptedUsername 0x20254:$a3: get_timePasswordChanged 0x2034f:$a4: get_passwordField 0x20454:$a5: set_encryptedPassword 0x22971:$a7: get_logins 0x228d4:$a10: KeyLoggerEventArgs 0x2253f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Payment slip.exe PID: 7692	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2253f:$x5: KeyLoggerEventArgs 0x228d4:$x5: KeyLoggerEventArgs 0x231db:$x5: KeyLoggerEventArgs 0x2353c:$x5: KeyLoggerEventArgs 0x24aff:$m2: Clipboard Logs ID 0x24c05:$m2: Screenshot Logs ID 0x24c5b:$m2: keystroke Logs ID 0x24d90:$m3: SnakePW 0x24bf1:$m4: \SnakeKeylogger\
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Payment slip.exe.443a310.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Payment slip.exe.443a310.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Payment slip.exe.443a310.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce0:$a1: get_encryptedPassword 0x12fcc:$a2: get_encryptedUsername 0x12aec:$a3: get_timePasswordChanged 0x12be7:$a4: get_passwordField 0x12cf6:$a5: set_encryptedPassword 0x1434c:$a7: get_logins 0x142af:$a10: KeyLoggerEventArgs 0x13f1a:$a11: KeyLoggerEventArgsEventHandler
1.2.Payment slip.exe.443a310.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a67a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cdf:$a4: \Orbitum\User Data\Default\Login Data 0x1ad1e:$a5: \Kometa\User Data\Default\Login Data
1.2.Payment slip.exe.443a310.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138a9:$s1: UnHook 0x138b0:$s2: SetHook 0x138b8:$s3: CallNextHook 0x138c5:$s4: _hook
1.2.Payment slip.exe.443a310.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cc4:$x1: $%SMTPDV$ 0x166a8:$x2: $#TheHashHere%& 0x17c6c:$x3: %FTPDV$ 0x16648:$x4: $%TelegramDv$ 0x13f1a:$x5: KeyLoggerEventArgs 0x142af:$x5: KeyLoggerEventArgs 0x17c90:$m2: Clipboard Logs ID 0x17ece:$m2: Screenshot Logs ID 0x17fde:$m2: keystroke Logs ID 0x182b8:$m3: SnakePW 0x17ea6:$m4: \SnakeKeylogger\
3.2.Payment slip.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Payment slip.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Payment slip.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae0:$a1: get_encryptedPassword 0x14dcc:$a2: get_encryptedUsername 0x148ec:$a3: get_timePasswordChanged 0x149e7:$a4: get_passwordField 0x14af6:$a5: set_encryptedPassword 0x1614c:$a7: get_logins 0x160af:$a10: KeyLoggerEventArgs 0x15d1a:$a11: KeyLoggerEventArgsEventHandler
3.2.Payment slip.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c47a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x1badf:$a4: \Orbitum\User Data\Default\Login Data 0x1cb1e:$a5: \Kometa\User Data\Default\Login Data
3.2.Payment slip.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156a9:$s1: UnHook 0x156b0:$s2: SetHook 0x156b8:$s3: CallNextHook 0x156c5:$s4: _hook
3.2.Payment slip.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ac4:$x1: $%SMTPDV$ 0x184a8:$x2: $#TheHashHere%& 0x19a6c:$x3: %FTPDV$ 0x18448:$x4: $%TelegramDv$ 0x15d1a:$x5: KeyLoggerEventArgs 0x160af:$x5: KeyLoggerEventArgs 0x19a90:$m2: Clipboard Logs ID 0x19cce:$m2: Screenshot Logs ID 0x19dde:$m2: keystroke Logs ID 0x1a0b8:$m3: SnakePW 0x19ca6:$m4: \SnakeKeylogger\
1.2.Payment slip.exe.443a310.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Payment slip.exe.443a310.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Payment slip.exe.443a310.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae0:$a1: get_encryptedPassword 0x35500:$a1: get_encryptedPassword 0x55d20:$a1: get_encryptedPassword 0x14dcc:$a2: get_encryptedUsername 0x357ec:$a2: get_encryptedUsername 0x5600c:$a2: get_encryptedUsername 0x148ec:$a3: get_timePasswordChanged 0x3530c:$a3: get_timePasswordChanged 0x55b2c:$a3: get_timePasswordChanged 0x149e7:$a4: get_passwordField 0x35407:$a4: get_passwordField 0x55c27:$a4: get_passwordField 0x14af6:$a5: set_encryptedPassword 0x35516:$a5: set_encryptedPassword 0x55d36:$a5: set_encryptedPassword 0x1614c:$a7: get_logins 0x36b6c:$a7: get_logins 0x5738c:$a7: get_logins 0x160af:$a10: KeyLoggerEventArgs 0x36acf:$a10: KeyLoggerEventArgs 0x572ef:$a10: KeyLoggerEventArgs
1.2.Payment slip.exe.443a310.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c47a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d6ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0cc:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8ec:$a3: \Google\Chrome\User Data\Default\Login Data 0x1badf:$a4: \Orbitum\User Data\Default\Login Data 0x3c4ff:$a4: \Orbitum\User Data\Default\Login Data 0x5cd1f:$a4: \Orbitum\User Data\Default\Login Data 0x1cb1e:$a5: \Kometa\User Data\Default\Login Data 0x3d53e:$a5: \Kometa\User Data\Default\Login Data 0x5dd5e:$a5: \Kometa\User Data\Default\Login Data
1.2.Payment slip.exe.443a310.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156a9:$s1: UnHook 0x360c9:$s1: UnHook 0x568e9:$s1: UnHook 0x156b0:$s2: SetHook 0x360d0:$s2: SetHook 0x568f0:$s2: SetHook 0x156b8:$s3: CallNextHook 0x360d8:$s3: CallNextHook 0x568f8:$s3: CallNextHook 0x156c5:$s4: _hook 0x360e5:$s4: _hook 0x56905:$s4: _hook
1.2.Payment slip.exe.443a310.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ac4:$x1: $%SMTPDV$ 0x3a4e4:$x1: $%SMTPDV$ 0x5ad04:$x1: $%SMTPDV$ 0x184a8:$x2: $#TheHashHere%& 0x38ec8:$x2: $#TheHashHere%& 0x596e8:$x2: $#TheHashHere%& 0x19a6c:$x3: %FTPDV$ 0x3a48c:$x3: %FTPDV$ 0x5acac:$x3: %FTPDV$ 0x18448:$x4: $%TelegramDv$ 0x38e68:$x4: $%TelegramDv$ 0x59688:$x4: $%TelegramDv$ 0x15d1a:$x5: KeyLoggerEventArgs 0x160af:$x5: KeyLoggerEventArgs 0x3673a:$x5: KeyLoggerEventArgs 0x36acf:$x5: KeyLoggerEventArgs 0x56f5a:$x5: KeyLoggerEventArgs 0x572ef:$x5: KeyLoggerEventArgs 0x19a90:$m2: Clipboard Logs ID 0x19cce:$m2: Screenshot Logs ID 0x19dde:$m2: keystroke Logs ID
1.2.Payment slip.exe.43d50f0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Payment slip.exe.43d50f0.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Payment slip.exe.436fed0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Payment slip.exe.43d50f0.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x79d00:$a1: get_encryptedPassword 0x9a720:$a1: get_encryptedPassword 0xbaf40:$a1: get_encryptedPassword 0x79fec:$a2: get_encryptedUsername 0x9aa0c:$a2: get_encryptedUsername 0xbb22c:$a2: get_encryptedUsername 0x79b0c:$a3: get_timePasswordChanged 0x9a52c:$a3: get_timePasswordChanged 0xbad4c:$a3: get_timePasswordChanged 0x79c07:$a4: get_passwordField 0x9a627:$a4: get_passwordField 0xbae47:$a4: get_passwordField 0x79d16:$a5: set_encryptedPassword 0x9a736:$a5: set_encryptedPassword 0xbaf56:$a5: set_encryptedPassword 0x7b36c:$a7: get_logins 0x9bd8c:$a7: get_logins 0xbc5ac:$a7: get_logins 0x7b2cf:$a10: KeyLoggerEventArgs 0x9bcef:$a10: KeyLoggerEventArgs 0xbc50f:$a10: KeyLoggerEventArgs
1.2.Payment slip.exe.436fed0.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Payment slip.exe.436fed0.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdef20:$a1: get_encryptedPassword 0xff940:$a1: get_encryptedPassword 0x120160:$a1: get_encryptedPassword 0xdf20c:$a2: get_encryptedUsername 0xffc2c:$a2: get_encryptedUsername 0x12044c:$a2: get_encryptedUsername 0xded2c:$a3: get_timePasswordChanged 0xff74c:$a3: get_timePasswordChanged 0x11ff6c:$a3: get_timePasswordChanged 0xdee27:$a4: get_passwordField 0xff847:$a4: get_passwordField 0x120067:$a4: get_passwordField 0xdef36:$a5: set_encryptedPassword 0xff956:$a5: set_encryptedPassword 0x120176:$a5: set_encryptedPassword 0xe058c:$a7: get_logins 0x100fac:$a7: get_logins 0x1217cc:$a7: get_logins 0xe04ef:$a10: KeyLoggerEventArgs 0x100f0f:$a10: KeyLoggerEventArgs 0x12172f:$a10: KeyLoggerEventArgs
1.2.Payment slip.exe.43d50f0.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x8169a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa20ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc28da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x808cc:$a3: \Google\Chrome\User Data\Default\Login Data 0xa12ec:$a3: \Google\Chrome\User Data\Default\Login Data 0xc1b0c:$a3: \Google\Chrome\User Data\Default\Login Data 0x80cff:$a4: \Orbitum\User Data\Default\Login Data 0xa171f:$a4: \Orbitum\User Data\Default\Login Data 0xc1f3f:$a4: \Orbitum\User Data\Default\Login Data 0x81d3e:$a5: \Kometa\User Data\Default\Login Data 0xa275e:$a5: \Kometa\User Data\Default\Login Data 0xc2f7e:$a5: \Kometa\User Data\Default\Login Data
1.2.Payment slip.exe.436fed0.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xdfae9:$s1: UnHook 0x100509:$s1: UnHook 0x120d29:$s1: UnHook 0xdfaf0:$s2: SetHook 0x100510:$s2: SetHook 0x120d30:$s2: SetHook 0xdfaf8:$s3: CallNextHook 0x100518:$s3: CallNextHook 0x120d38:$s3: CallNextHook 0xdfb05:$s4: _hook 0x100525:$s4: _hook 0x120d45:$s4: _hook
1.2.Payment slip.exe.436fed0.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe3f04:$x1: $%SMTPDV$ 0x104924:$x1: $%SMTPDV$ 0x125144:$x1: $%SMTPDV$ 0xe28e8:$x2: $#TheHashHere%& 0x103308:$x2: $#TheHashHere%& 0x123b28:$x2: $#TheHashHere%& 0xe3eac:$x3: %FTPDV$ 0x1048cc:$x3: %FTPDV$ 0x1250ec:$x3: %FTPDV$ 0xe2888:$x4: $%TelegramDv$ 0x1032a8:$x4: $%TelegramDv$ 0x123ac8:$x4: $%TelegramDv$ 0xe015a:$x5: KeyLoggerEventArgs 0xe04ef:$x5: KeyLoggerEventArgs 0x100b7a:$x5: KeyLoggerEventArgs 0x100f0f:$x5: KeyLoggerEventArgs 0x12139a:$x5: KeyLoggerEventArgs 0x12172f:$x5: KeyLoggerEventArgs 0xe3ed0:$m2: Clipboard Logs ID 0xe410e:$m2: Screenshot Logs ID 0xe421e:$m2: keystroke Logs ID
1.2.Payment slip.exe.43d50f0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7a8c9:$s1: UnHook 0x9b2e9:$s1: UnHook 0xbbb09:$s1: UnHook 0x7a8d0:$s2: SetHook 0x9b2f0:$s2: SetHook 0xbbb10:$s2: SetHook 0x7a8d8:$s3: CallNextHook 0x9b2f8:$s3: CallNextHook 0xbbb18:$s3: CallNextHook 0x7a8e5:$s4: _hook 0x9b305:$s4: _hook 0xbbb25:$s4: _hook
1.2.Payment slip.exe.43d50f0.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7ece4:$x1: $%SMTPDV$ 0x9f704:$x1: $%SMTPDV$ 0xbff24:$x1: $%SMTPDV$ 0x7d6c8:$x2: $#TheHashHere%& 0x9e0e8:$x2: $#TheHashHere%& 0xbe908:$x2: $#TheHashHere%& 0x7ec8c:$x3: %FTPDV$ 0x9f6ac:$x3: %FTPDV$ 0xbfecc:$x3: %FTPDV$ 0x7d668:$x4: $%TelegramDv$ 0x9e088:$x4: $%TelegramDv$ 0xbe8a8:$x4: $%TelegramDv$ 0x7af3a:$x5: KeyLoggerEventArgs 0x7b2cf:$x5: KeyLoggerEventArgs 0x9b95a:$x5: KeyLoggerEventArgs 0x9bcef:$x5: KeyLoggerEventArgs 0xbc17a:$x5: KeyLoggerEventArgs 0xbc50f:$x5: KeyLoggerEventArgs 0x7ecb0:$m2: Clipboard Logs ID 0x7eeee:$m2: Screenshot Logs ID 0x7effe:$m2: keystroke Logs ID
Click to see the 24 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T09:10:19.967927+0100	2803305	3	Unknown Traffic	192.168.2.6	49697	104.21.16.1	443	TCP
2025-03-14T09:10:23.085162+0100	2803305	3	Unknown Traffic	192.168.2.6	49699	104.21.16.1	443	TCP
2025-03-14T09:10:31.005709+0100	2803305	3	Unknown Traffic	192.168.2.6	49707	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T09:10:14.557237+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	193.122.6.168	80	TCP
2025-03-14T09:10:18.104231+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	193.122.6.168	80	TCP
2025-03-14T09:10:20.651096+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49698	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment slip.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8001882214:AAFYbuE3sctUsMptRg6i8B28zD_AOK7mrvg/sendMessage?chat_id=6090860697", "Token": "8001882214:AAFYbuE3sctUsMptRg6i8B28zD_AOK7mrvg", "Chat_id": "6090860697", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Payment slip.exe	Virustotal: Detection: 43%			Perma Link
Source: Payment slip.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 1.2.Payment slip.exe.443a310.5.unpack	String decryptor:
Source: 1.2.Payment slip.exe.443a310.5.unpack	String decryptor: 8001882214:AAFYbuE3sctUsMptRg6i8B28zD_AOK7mrvg
Source: 1.2.Payment slip.exe.443a310.5.unpack	String decryptor: 6090860697

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Payment slip.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49696 version: TLS 1.0

Source: Payment slip.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 0145F1F6h	3_2_0145F007
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 0145FB80h	3_2_0145F007
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0145E528
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0145EB5B
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0145ED3C
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D08945h	3_2_06D08608
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D00FF1h	3_2_06D00D48
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D06171h	3_2_06D05EC8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06D036CE
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D05D19h	3_2_06D05A70
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D058C1h	3_2_06D05618
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D06E79h	3_2_06D06BD0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06D033B8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06D033A8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D06A21h	3_2_06D06778
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D065C9h	3_2_06D06320
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D00B99h	3_2_06D008F0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D00741h	3_2_06D00498
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D07751h	3_2_06D074A8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D072FAh	3_2_06D07050
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D002E9h	3_2_06D00040
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D05441h	3_2_06D05198
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D08459h	3_2_06D081B0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D08001h	3_2_06D07D58
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 4x nop then jmp 06D07BA9h	3_2_06D07900

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49692 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49698 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49707 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49699 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49697 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49696 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000317D000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003253000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Payment slip.exe, 00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Payment slip.exe, 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Payment slip.exe, 00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Payment slip.exe, 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment slip.exe

Source: C:\Users\user\Desktop\Payment slip.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E2679	1_2_027E2679
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E0872	1_2_027E0872
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E96E8	1_2_027E96E8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E1408	1_2_027E1408
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E3540	1_2_027E3540
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E1C80	1_2_027E1C80
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E1358	1_2_027E1358
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E13B3	1_2_027E13B3
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E5698	1_2_027E5698
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E5688	1_2_027E5688
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E3517	1_2_027E3517
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E5B50	1_2_027E5B50
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E5B40	1_2_027E5B40
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E58F0	1_2_027E58F0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_027E58E0	1_2_027E58E0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE97D0	1_2_04DE97D0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE8DC4	1_2_04DE8DC4
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE5CCC	1_2_04DE5CCC
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE7C78	1_2_04DE7C78
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE7C68	1_2_04DE7C68
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE9C13	1_2_04DE9C13
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE9C30	1_2_04DE9C30
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE8DC1	1_2_04DE8DC1
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE8D28	1_2_04DE8D28
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_04DE8E14	1_2_04DE8E14
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_09330040	1_2_09330040
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_09333A30	1_2_09333A30
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 1_2_093345F0	1_2_093345F0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_01456108	3_2_01456108
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145C190	3_2_0145C190
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145F007	3_2_0145F007
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145B328	3_2_0145B328
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145C470	3_2_0145C470
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145C751	3_2_0145C751
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_01459858	3_2_01459858
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_01456880	3_2_01456880
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145BBD2	3_2_0145BBD2
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145CA31	3_2_0145CA31
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_01454AD9	3_2_01454AD9
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145BEB0	3_2_0145BEB0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_01453570	3_2_01453570
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145E517	3_2_0145E517
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145E528	3_2_0145E528
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_0145B4F2	3_2_0145B4F2
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0B6E8	3_2_06D0B6E8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0AA58	3_2_06D0AA58
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0D670	3_2_06D0D670
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D08608	3_2_06D08608
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0C388	3_2_06D0C388
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0B0A0	3_2_06D0B0A0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D08C51	3_2_06D08C51
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0A408	3_2_06D0A408
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0D028	3_2_06D0D028
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0C9D8	3_2_06D0C9D8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D011A0	3_2_06D011A0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D00D48	3_2_06D00D48
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0BD38	3_2_06D0BD38
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0B6D9	3_2_06D0B6D9
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D05EC8	3_2_06D05EC8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D05EB8	3_2_06D05EB8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0AA48	3_2_06D0AA48
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D05A70	3_2_06D05A70
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D05A60	3_2_06D05A60
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0D661	3_2_06D0D661
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D05618	3_2_06D05618
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0560A	3_2_06D0560A
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D06BD0	3_2_06D06BD0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D06BC1	3_2_06D06BC1
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0A3F8	3_2_06D0A3F8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D033B8	3_2_06D033B8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D033A8	3_2_06D033A8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D06778	3_2_06D06778
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0C378	3_2_06D0C378
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0676A	3_2_06D0676A
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D06312	3_2_06D06312
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D03730	3_2_06D03730
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D06320	3_2_06D06320
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D008F0	3_2_06D008F0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D078F0	3_2_06D078F0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D008E0	3_2_06D008E0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D07497	3_2_06D07497
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D00498	3_2_06D00498
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D00488	3_2_06D00488
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0B08F	3_2_06D0B08F
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D074A8	3_2_06D074A8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D07050	3_2_06D07050
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D00040	3_2_06D00040
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D07040	3_2_06D07040
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D02818	3_2_06D02818
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0D018	3_2_06D0D018
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D00007	3_2_06D00007
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D02807	3_2_06D02807
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D04430	3_2_06D04430
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D04420	3_2_06D04420
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0C9C8	3_2_06D0C9C8
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D085FC	3_2_06D085FC
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D01191	3_2_06D01191
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D05198	3_2_06D05198
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0518A	3_2_06D0518A
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D081B0	3_2_06D081B0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D081A0	3_2_06D081A0
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D07D58	3_2_06D07D58
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D07D48	3_2_06D07D48
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D07900	3_2_06D07900
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D00D39	3_2_06D00D39
Source: C:\Users\user\Desktop\Payment slip.exe	Code function: 3_2_06D0BD28	3_2_06D0BD28

Source: Payment slip.exe, 00000001.00000002.1213019614.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000000.1202335513.000000000057A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenEUG.exe8 vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1221091944.00000000092C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1215142486.0000000002A06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1220826436.0000000007830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1215142486.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1215142486.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1215142486.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Payment slip.exe
Source: Payment slip.exe, 00000001.00000002.1215142486.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment slip.exe
Source: Payment slip.exe, 00000003.00000002.3658499964.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment slip.exe
Source: Payment slip.exe, 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Payment slip.exe
Source: Payment slip.exe	Binary or memory string: OriginalFilenamenEUG.exe8 vs Payment slip.exe

Source: Payment slip.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Payment slip.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, --j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, --j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Payment slip.exe.443a310.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, ryyrd0rJBWMktoNnBP.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, ryyrd0rJBWMktoNnBP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, fvcsapb9hyjct1cgyo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, ryyrd0rJBWMktoNnBP.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, ryyrd0rJBWMktoNnBP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, ryyrd0rJBWMktoNnBP.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, ryyrd0rJBWMktoNnBP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Payment slip.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment slip.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Mutant created: NULL

Source: Payment slip.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment slip.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Payment slip.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment slip.exe, 00000003.00000002.3662412052.0000000004150000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003343000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003350000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000330D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment slip.exe	Virustotal: Detection: 43%
Source: Payment slip.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\Payment slip.exe "C:\Users\user\Desktop\Payment slip.exe"
Source: C:\Users\user\Desktop\Payment slip.exe	Process created: C:\Users\user\Desktop\Payment slip.exe "C:\Users\user\Desktop\Payment slip.exe"
Source: C:\Users\user\Desktop\Payment slip.exe	Process created: C:\Users\user\Desktop\Payment slip.exe "C:\Users\user\Desktop\Payment slip.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Payment slip.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment slip.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, fvcsapb9hyjct1cgyo.cs	.Net Code: vh5pyeA7QG System.Reflection.Assembly.Load(byte[])
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, fvcsapb9hyjct1cgyo.cs	.Net Code: vh5pyeA7QG System.Reflection.Assembly.Load(byte[])
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, fvcsapb9hyjct1cgyo.cs	.Net Code: vh5pyeA7QG System.Reflection.Assembly.Load(byte[])

Source: Payment slip.exe

Static PE information: section name: .text entropy: 7.746606671423707

Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, hyU2kP523bNQjHxmN6.cs	High entropy of concatenated method names: 'qypZr4Wdex', 'MVAZKnVsuL', 'H1XZoCdS8A', 'yobZl6CgOn', 'fqaZVEFD8a', 'hUoZgvTjmD', 'jgBZQ87q4Q', 'cniZ7gGIZR', 'We8ZtdFLMZ', 'rKSZvxQape'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, GlYTWZQchbpgpPIbhn.cs	High entropy of concatenated method names: 'iqZxWEmT50', 'LP3xcnU3yJ', 'gcExTG74hE', 'IhmT6QWfmt', 'bRWTz3feKY', 'TdDxCr0f3L', 'gYfxFpG8TZ', 'sBYxRyRfjH', 'S41xmHfjgW', 'I3Pxp5epBG'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, gPtxAqz3n1yngklp8s.cs	High entropy of concatenated method names: 'i0TUhFrR3C', 'VOZUrXXMAY', 'LwGUKFwUTA', 'U1kUoX7Mxp', 'GqBUlApgHx', 'hrSUVVn5yD', 'Ek4UgeyFuj', 'J4WUGlrCXE', 'QrgUquswYN', 'cTDUNismqh'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, jOhEAcjYMhnccghhMt.cs	High entropy of concatenated method names: 'ToString', 'JbMnvgCS85', 'YmknlpMHNj', 'EE8nd9DP6o', 'jEknVKsqvp', 'SX1ngr9Cxc', 'CiLn32C35y', 'K47nQiDCfn', 'aepn7wgRdI', 'M3inLtL8ir'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, Jkq2AORLRPsL0TItgA.cs	High entropy of concatenated method names: 'sGdyYUZXU', 'Hd4IMkrY4', 'bIXh0Rnq5', 'wZyHiOyoS', 'dOYK8Bi5b', 'iKh9gxGta', 'j088oTBldIdVN4XKsk', 'pMKbRycMjHYxRsdu2K', 'lx8OjR80H', 'baIUBHVlM'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, gvETgFFCQkiO5ZwjOd5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'N1tUvunN1r', 'N0WUMuATb8', 'pxUU55dGnP', 'yLKUfrGm3A', 'wYqUDPCiga', 'js0UjS5tZE', 'oUGUY0OCU8'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, QlAkGk67J1gBMEr0ut.cs	High entropy of concatenated method names: 'P59UcnjjyT', 'VhiU8V0tAJ', 'LIGUTywo1P', 'wahUxCA2Yv', 'JliUSNJFLM', 'TYhUb0OIje', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, CxjneHwxXsp7xkV5oM.cs	High entropy of concatenated method names: 'RYCS2HJGm8', 'CEcSi8p9ke', 'KTSSSZCedB', 'kY6S0fTkl3', 'ymnSEmTgHB', 'GHaSGEc8GQ', 'Dispose', 'jsyOWF1lvE', 'JxnOBa8Kq4', 'TynOcqQQ7T'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, Sx5rcdBKVAU4JT8ri0.cs	High entropy of concatenated method names: 'Dispose', 'Xp7FsxkV5o', 'mp5RloEtRk', 'RrY9offf6b', 'PrTF6CgeeP', 'DQNFzATcI0', 'ProcessDialogKey', 'xC2RCHwpPb', 'UiVRFCNyJ6', 'mZ9RR5lAkG'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, fvcsapb9hyjct1cgyo.cs	High entropy of concatenated method names: 'QYhmesgHix', 'D5smWPvDGk', 'OT2mBxvGI6', 'y8HmcstmqH', 'MKem82svJh', 'h2CmTKPYsL', 'goPmxfSrFJ', 'NAambQFR3s', 'UwPm48aZEJ', 'gEdmuG15eW'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, zeUtarV29xKxSitwgc.cs	High entropy of concatenated method names: 'zjUTGUtJXR', 'oW8Tq1jU3H', 'O2LTyByxec', 'MFSTIyOs1H', 'QxHThloJxZ', 'dn3THbbthU', 'IoPTKMSudw', 'f2yT9EH0Fo', 'zO2UrpRQtd7ssEaXakJ', 'Q6nqmmRH1rM9NuBGxQL'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, oHwpPbs1iVCNyJ6uZ9.cs	High entropy of concatenated method names: 'UgdSouJEws', 'jlNSlrKHns', 'rLtSdQTeWZ', 'QN3SVeIkn9', 'xt8SgUMYrk', 'aXoS3cU7Ty', 'rk8SQbmIgl', 'XlsS7sUU15', 'tKtSLrYjtU', 'OxLStDhEUr'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, VgGwDRfamFL6HnBMNM.cs	High entropy of concatenated method names: 'g6F2tVOkY4', 'B5M2MikWvh', 'txc2f9RAc8', 'xcU2DHwNYE', 'A662lm5RGf', 'Pp22dFt2LK', 'Bly2VHbUXt', 'gw82gowfUb', 'xHS23WmGms', 'mNt2QHj5CC'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, njX1TCKuYL6WcKUIDt.cs	High entropy of concatenated method names: 'vqIcIpdOcq', 'QyUchOKMsp', 'btTcrV1l3q', 'MDdcKXLeym', 'QT4c2XYRTB', 'DmYcnaFE0s', 'NfDcijoLeR', 'CJwcORBieB', 'iT2cSWCjfi', 'xsQcUYZkHj'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, GyW1pDFFymGCoeB5JPM.cs	High entropy of concatenated method names: 'gOLU68Tl5J', 'R6sUzhxRBG', 'W8i0CdYNAA', 'EFG0Fviv8V', 'QXX0R1TZZq', 'hC40mRIfu1', 'RJm0p1qOMh', 'gNx0enFu42', 'qaw0WdZVnb', 'KNZ0B0PZML'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, oTA4uZpBAR1Pn34sBj.cs	High entropy of concatenated method names: 'geOFxyyrd0', 'BBWFbMktoN', 'auYFuL6WcK', 'sIDFPtZcT9', 'pVUF2dx6Nq', 'DAqFnTa7Bc', 'RFZ9gmpXXf55S1Y19C', 'kiP3GNSIaWhtPUSa1T', 'psWFFXrjiN', 'ABgFmduXXv'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, iQjCGbLUgw19tJBgj8.cs	High entropy of concatenated method names: 'WKjxqekFvp', 'dssxNZ7WNa', 'sWQxyNLxIb', 'Gi3xIFEI7C', 'jRGxJ4CYwf', 'hh0xhfOgBk', 'AOExHTvADV', 'KvYxrnmAVM', 'qU7xKbcg0Y', 'H2nx9coTks'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, myoh9T1g26PdSlUSh9.cs	High entropy of concatenated method names: 'imoiaVU9ZC', 'AWni6VZHI7', 'yANOCnT2DK', 'IhMOFThWsR', 'AF4iv1mvQF', 'CogiMkx15g', 'Aqki5pQMl3', 'CJnifU7XY6', 'PkXiDVrjhl', 'i2TijjkhLe'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, ryyrd0rJBWMktoNnBP.cs	High entropy of concatenated method names: 'Aj4BfVc00h', 'OmfBDHpYCG', 'vSkBjmBFcn', 'DryBYtPiLD', 'Bs9BkfWfwu', 'Qy7B18jLYE', 'dD7BwboNbq', 'C8eBaPrpeQ', 'QcPBsL6uPu', 'kHNB6WPh9y'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, eQRwdmlmvTm3xc050d.cs	High entropy of concatenated method names: 'No9rCdR50VYHsKOmwWL', 'Af5tIbRXniQJjYudUOD', 'pMITOFC6je', 'GcXTSnsgNp', 'SatTU9cCHo', 'E3ThXJRjJZkDPXUKg8i', 'DiNRpkRPCy0aFfLJp0a', 'UPa5CCRbkmgMj9Mjwhe'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, eH5TYZcHM2Fog2XlKb.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F5CRsqY41J', 'VJoR6V79mv', 'ER0RzcccE4', 'TEsmC7QKOT', 'q9emFufngH', 'nPOmRrkUOp', 'JXtmmDIni0', 'gYF8JyEJ9uAIgHWL25v'
Source: 1.2.Payment slip.exe.92c0000.9.raw.unpack, YNqHAqoTa7Bc1jXMj3.cs	High entropy of concatenated method names: 'G4NTe56W3G', 'yb3TBMHF3u', 'p2RT84X4ax', 'Y2sTxEuDSj', 'wnRTbmfbZH', 'zSQ8ktF9Vo', 'bml81qBijV', 'qt78wCGvsX', 'lvI8aIwKEW', 'CDo8sIcOee'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, hyU2kP523bNQjHxmN6.cs	High entropy of concatenated method names: 'qypZr4Wdex', 'MVAZKnVsuL', 'H1XZoCdS8A', 'yobZl6CgOn', 'fqaZVEFD8a', 'hUoZgvTjmD', 'jgBZQ87q4Q', 'cniZ7gGIZR', 'We8ZtdFLMZ', 'rKSZvxQape'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, GlYTWZQchbpgpPIbhn.cs	High entropy of concatenated method names: 'iqZxWEmT50', 'LP3xcnU3yJ', 'gcExTG74hE', 'IhmT6QWfmt', 'bRWTz3feKY', 'TdDxCr0f3L', 'gYfxFpG8TZ', 'sBYxRyRfjH', 'S41xmHfjgW', 'I3Pxp5epBG'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, gPtxAqz3n1yngklp8s.cs	High entropy of concatenated method names: 'i0TUhFrR3C', 'VOZUrXXMAY', 'LwGUKFwUTA', 'U1kUoX7Mxp', 'GqBUlApgHx', 'hrSUVVn5yD', 'Ek4UgeyFuj', 'J4WUGlrCXE', 'QrgUquswYN', 'cTDUNismqh'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, jOhEAcjYMhnccghhMt.cs	High entropy of concatenated method names: 'ToString', 'JbMnvgCS85', 'YmknlpMHNj', 'EE8nd9DP6o', 'jEknVKsqvp', 'SX1ngr9Cxc', 'CiLn32C35y', 'K47nQiDCfn', 'aepn7wgRdI', 'M3inLtL8ir'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, Jkq2AORLRPsL0TItgA.cs	High entropy of concatenated method names: 'sGdyYUZXU', 'Hd4IMkrY4', 'bIXh0Rnq5', 'wZyHiOyoS', 'dOYK8Bi5b', 'iKh9gxGta', 'j088oTBldIdVN4XKsk', 'pMKbRycMjHYxRsdu2K', 'lx8OjR80H', 'baIUBHVlM'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, gvETgFFCQkiO5ZwjOd5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'N1tUvunN1r', 'N0WUMuATb8', 'pxUU55dGnP', 'yLKUfrGm3A', 'wYqUDPCiga', 'js0UjS5tZE', 'oUGUY0OCU8'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, QlAkGk67J1gBMEr0ut.cs	High entropy of concatenated method names: 'P59UcnjjyT', 'VhiU8V0tAJ', 'LIGUTywo1P', 'wahUxCA2Yv', 'JliUSNJFLM', 'TYhUb0OIje', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, CxjneHwxXsp7xkV5oM.cs	High entropy of concatenated method names: 'RYCS2HJGm8', 'CEcSi8p9ke', 'KTSSSZCedB', 'kY6S0fTkl3', 'ymnSEmTgHB', 'GHaSGEc8GQ', 'Dispose', 'jsyOWF1lvE', 'JxnOBa8Kq4', 'TynOcqQQ7T'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, Sx5rcdBKVAU4JT8ri0.cs	High entropy of concatenated method names: 'Dispose', 'Xp7FsxkV5o', 'mp5RloEtRk', 'RrY9offf6b', 'PrTF6CgeeP', 'DQNFzATcI0', 'ProcessDialogKey', 'xC2RCHwpPb', 'UiVRFCNyJ6', 'mZ9RR5lAkG'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, fvcsapb9hyjct1cgyo.cs	High entropy of concatenated method names: 'QYhmesgHix', 'D5smWPvDGk', 'OT2mBxvGI6', 'y8HmcstmqH', 'MKem82svJh', 'h2CmTKPYsL', 'goPmxfSrFJ', 'NAambQFR3s', 'UwPm48aZEJ', 'gEdmuG15eW'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, zeUtarV29xKxSitwgc.cs	High entropy of concatenated method names: 'zjUTGUtJXR', 'oW8Tq1jU3H', 'O2LTyByxec', 'MFSTIyOs1H', 'QxHThloJxZ', 'dn3THbbthU', 'IoPTKMSudw', 'f2yT9EH0Fo', 'zO2UrpRQtd7ssEaXakJ', 'Q6nqmmRH1rM9NuBGxQL'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, oHwpPbs1iVCNyJ6uZ9.cs	High entropy of concatenated method names: 'UgdSouJEws', 'jlNSlrKHns', 'rLtSdQTeWZ', 'QN3SVeIkn9', 'xt8SgUMYrk', 'aXoS3cU7Ty', 'rk8SQbmIgl', 'XlsS7sUU15', 'tKtSLrYjtU', 'OxLStDhEUr'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, VgGwDRfamFL6HnBMNM.cs	High entropy of concatenated method names: 'g6F2tVOkY4', 'B5M2MikWvh', 'txc2f9RAc8', 'xcU2DHwNYE', 'A662lm5RGf', 'Pp22dFt2LK', 'Bly2VHbUXt', 'gw82gowfUb', 'xHS23WmGms', 'mNt2QHj5CC'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, njX1TCKuYL6WcKUIDt.cs	High entropy of concatenated method names: 'vqIcIpdOcq', 'QyUchOKMsp', 'btTcrV1l3q', 'MDdcKXLeym', 'QT4c2XYRTB', 'DmYcnaFE0s', 'NfDcijoLeR', 'CJwcORBieB', 'iT2cSWCjfi', 'xsQcUYZkHj'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, GyW1pDFFymGCoeB5JPM.cs	High entropy of concatenated method names: 'gOLU68Tl5J', 'R6sUzhxRBG', 'W8i0CdYNAA', 'EFG0Fviv8V', 'QXX0R1TZZq', 'hC40mRIfu1', 'RJm0p1qOMh', 'gNx0enFu42', 'qaw0WdZVnb', 'KNZ0B0PZML'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, oTA4uZpBAR1Pn34sBj.cs	High entropy of concatenated method names: 'geOFxyyrd0', 'BBWFbMktoN', 'auYFuL6WcK', 'sIDFPtZcT9', 'pVUF2dx6Nq', 'DAqFnTa7Bc', 'RFZ9gmpXXf55S1Y19C', 'kiP3GNSIaWhtPUSa1T', 'psWFFXrjiN', 'ABgFmduXXv'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, iQjCGbLUgw19tJBgj8.cs	High entropy of concatenated method names: 'WKjxqekFvp', 'dssxNZ7WNa', 'sWQxyNLxIb', 'Gi3xIFEI7C', 'jRGxJ4CYwf', 'hh0xhfOgBk', 'AOExHTvADV', 'KvYxrnmAVM', 'qU7xKbcg0Y', 'H2nx9coTks'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, myoh9T1g26PdSlUSh9.cs	High entropy of concatenated method names: 'imoiaVU9ZC', 'AWni6VZHI7', 'yANOCnT2DK', 'IhMOFThWsR', 'AF4iv1mvQF', 'CogiMkx15g', 'Aqki5pQMl3', 'CJnifU7XY6', 'PkXiDVrjhl', 'i2TijjkhLe'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, ryyrd0rJBWMktoNnBP.cs	High entropy of concatenated method names: 'Aj4BfVc00h', 'OmfBDHpYCG', 'vSkBjmBFcn', 'DryBYtPiLD', 'Bs9BkfWfwu', 'Qy7B18jLYE', 'dD7BwboNbq', 'C8eBaPrpeQ', 'QcPBsL6uPu', 'kHNB6WPh9y'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, eQRwdmlmvTm3xc050d.cs	High entropy of concatenated method names: 'No9rCdR50VYHsKOmwWL', 'Af5tIbRXniQJjYudUOD', 'pMITOFC6je', 'GcXTSnsgNp', 'SatTU9cCHo', 'E3ThXJRjJZkDPXUKg8i', 'DiNRpkRPCy0aFfLJp0a', 'UPa5CCRbkmgMj9Mjwhe'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, eH5TYZcHM2Fog2XlKb.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F5CRsqY41J', 'VJoR6V79mv', 'ER0RzcccE4', 'TEsmC7QKOT', 'q9emFufngH', 'nPOmRrkUOp', 'JXtmmDIni0', 'gYF8JyEJ9uAIgHWL25v'
Source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, YNqHAqoTa7Bc1jXMj3.cs	High entropy of concatenated method names: 'G4NTe56W3G', 'yb3TBMHF3u', 'p2RT84X4ax', 'Y2sTxEuDSj', 'wnRTbmfbZH', 'zSQ8ktF9Vo', 'bml81qBijV', 'qt78wCGvsX', 'lvI8aIwKEW', 'CDo8sIcOee'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, hyU2kP523bNQjHxmN6.cs	High entropy of concatenated method names: 'qypZr4Wdex', 'MVAZKnVsuL', 'H1XZoCdS8A', 'yobZl6CgOn', 'fqaZVEFD8a', 'hUoZgvTjmD', 'jgBZQ87q4Q', 'cniZ7gGIZR', 'We8ZtdFLMZ', 'rKSZvxQape'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, GlYTWZQchbpgpPIbhn.cs	High entropy of concatenated method names: 'iqZxWEmT50', 'LP3xcnU3yJ', 'gcExTG74hE', 'IhmT6QWfmt', 'bRWTz3feKY', 'TdDxCr0f3L', 'gYfxFpG8TZ', 'sBYxRyRfjH', 'S41xmHfjgW', 'I3Pxp5epBG'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, gPtxAqz3n1yngklp8s.cs	High entropy of concatenated method names: 'i0TUhFrR3C', 'VOZUrXXMAY', 'LwGUKFwUTA', 'U1kUoX7Mxp', 'GqBUlApgHx', 'hrSUVVn5yD', 'Ek4UgeyFuj', 'J4WUGlrCXE', 'QrgUquswYN', 'cTDUNismqh'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, jOhEAcjYMhnccghhMt.cs	High entropy of concatenated method names: 'ToString', 'JbMnvgCS85', 'YmknlpMHNj', 'EE8nd9DP6o', 'jEknVKsqvp', 'SX1ngr9Cxc', 'CiLn32C35y', 'K47nQiDCfn', 'aepn7wgRdI', 'M3inLtL8ir'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, Jkq2AORLRPsL0TItgA.cs	High entropy of concatenated method names: 'sGdyYUZXU', 'Hd4IMkrY4', 'bIXh0Rnq5', 'wZyHiOyoS', 'dOYK8Bi5b', 'iKh9gxGta', 'j088oTBldIdVN4XKsk', 'pMKbRycMjHYxRsdu2K', 'lx8OjR80H', 'baIUBHVlM'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, gvETgFFCQkiO5ZwjOd5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'N1tUvunN1r', 'N0WUMuATb8', 'pxUU55dGnP', 'yLKUfrGm3A', 'wYqUDPCiga', 'js0UjS5tZE', 'oUGUY0OCU8'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, QlAkGk67J1gBMEr0ut.cs	High entropy of concatenated method names: 'P59UcnjjyT', 'VhiU8V0tAJ', 'LIGUTywo1P', 'wahUxCA2Yv', 'JliUSNJFLM', 'TYhUb0OIje', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, CxjneHwxXsp7xkV5oM.cs	High entropy of concatenated method names: 'RYCS2HJGm8', 'CEcSi8p9ke', 'KTSSSZCedB', 'kY6S0fTkl3', 'ymnSEmTgHB', 'GHaSGEc8GQ', 'Dispose', 'jsyOWF1lvE', 'JxnOBa8Kq4', 'TynOcqQQ7T'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, Sx5rcdBKVAU4JT8ri0.cs	High entropy of concatenated method names: 'Dispose', 'Xp7FsxkV5o', 'mp5RloEtRk', 'RrY9offf6b', 'PrTF6CgeeP', 'DQNFzATcI0', 'ProcessDialogKey', 'xC2RCHwpPb', 'UiVRFCNyJ6', 'mZ9RR5lAkG'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, fvcsapb9hyjct1cgyo.cs	High entropy of concatenated method names: 'QYhmesgHix', 'D5smWPvDGk', 'OT2mBxvGI6', 'y8HmcstmqH', 'MKem82svJh', 'h2CmTKPYsL', 'goPmxfSrFJ', 'NAambQFR3s', 'UwPm48aZEJ', 'gEdmuG15eW'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, zeUtarV29xKxSitwgc.cs	High entropy of concatenated method names: 'zjUTGUtJXR', 'oW8Tq1jU3H', 'O2LTyByxec', 'MFSTIyOs1H', 'QxHThloJxZ', 'dn3THbbthU', 'IoPTKMSudw', 'f2yT9EH0Fo', 'zO2UrpRQtd7ssEaXakJ', 'Q6nqmmRH1rM9NuBGxQL'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, oHwpPbs1iVCNyJ6uZ9.cs	High entropy of concatenated method names: 'UgdSouJEws', 'jlNSlrKHns', 'rLtSdQTeWZ', 'QN3SVeIkn9', 'xt8SgUMYrk', 'aXoS3cU7Ty', 'rk8SQbmIgl', 'XlsS7sUU15', 'tKtSLrYjtU', 'OxLStDhEUr'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, VgGwDRfamFL6HnBMNM.cs	High entropy of concatenated method names: 'g6F2tVOkY4', 'B5M2MikWvh', 'txc2f9RAc8', 'xcU2DHwNYE', 'A662lm5RGf', 'Pp22dFt2LK', 'Bly2VHbUXt', 'gw82gowfUb', 'xHS23WmGms', 'mNt2QHj5CC'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, njX1TCKuYL6WcKUIDt.cs	High entropy of concatenated method names: 'vqIcIpdOcq', 'QyUchOKMsp', 'btTcrV1l3q', 'MDdcKXLeym', 'QT4c2XYRTB', 'DmYcnaFE0s', 'NfDcijoLeR', 'CJwcORBieB', 'iT2cSWCjfi', 'xsQcUYZkHj'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, GyW1pDFFymGCoeB5JPM.cs	High entropy of concatenated method names: 'gOLU68Tl5J', 'R6sUzhxRBG', 'W8i0CdYNAA', 'EFG0Fviv8V', 'QXX0R1TZZq', 'hC40mRIfu1', 'RJm0p1qOMh', 'gNx0enFu42', 'qaw0WdZVnb', 'KNZ0B0PZML'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, oTA4uZpBAR1Pn34sBj.cs	High entropy of concatenated method names: 'geOFxyyrd0', 'BBWFbMktoN', 'auYFuL6WcK', 'sIDFPtZcT9', 'pVUF2dx6Nq', 'DAqFnTa7Bc', 'RFZ9gmpXXf55S1Y19C', 'kiP3GNSIaWhtPUSa1T', 'psWFFXrjiN', 'ABgFmduXXv'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, iQjCGbLUgw19tJBgj8.cs	High entropy of concatenated method names: 'WKjxqekFvp', 'dssxNZ7WNa', 'sWQxyNLxIb', 'Gi3xIFEI7C', 'jRGxJ4CYwf', 'hh0xhfOgBk', 'AOExHTvADV', 'KvYxrnmAVM', 'qU7xKbcg0Y', 'H2nx9coTks'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, myoh9T1g26PdSlUSh9.cs	High entropy of concatenated method names: 'imoiaVU9ZC', 'AWni6VZHI7', 'yANOCnT2DK', 'IhMOFThWsR', 'AF4iv1mvQF', 'CogiMkx15g', 'Aqki5pQMl3', 'CJnifU7XY6', 'PkXiDVrjhl', 'i2TijjkhLe'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, ryyrd0rJBWMktoNnBP.cs	High entropy of concatenated method names: 'Aj4BfVc00h', 'OmfBDHpYCG', 'vSkBjmBFcn', 'DryBYtPiLD', 'Bs9BkfWfwu', 'Qy7B18jLYE', 'dD7BwboNbq', 'C8eBaPrpeQ', 'QcPBsL6uPu', 'kHNB6WPh9y'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, eQRwdmlmvTm3xc050d.cs	High entropy of concatenated method names: 'No9rCdR50VYHsKOmwWL', 'Af5tIbRXniQJjYudUOD', 'pMITOFC6je', 'GcXTSnsgNp', 'SatTU9cCHo', 'E3ThXJRjJZkDPXUKg8i', 'DiNRpkRPCy0aFfLJp0a', 'UPa5CCRbkmgMj9Mjwhe'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, eH5TYZcHM2Fog2XlKb.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F5CRsqY41J', 'VJoR6V79mv', 'ER0RzcccE4', 'TEsmC7QKOT', 'q9emFufngH', 'nPOmRrkUOp', 'JXtmmDIni0', 'gYF8JyEJ9uAIgHWL25v'
Source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, YNqHAqoTa7Bc1jXMj3.cs	High entropy of concatenated method names: 'G4NTe56W3G', 'yb3TBMHF3u', 'p2RT84X4ax', 'Y2sTxEuDSj', 'wnRTbmfbZH', 'zSQ8ktF9Vo', 'bml81qBijV', 'qt78wCGvsX', 'lvI8aIwKEW', 'CDo8sIcOee'

Source: C:\Users\user\Desktop\Payment slip.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 4F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 5F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 6060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 7060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: AE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: BE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: C290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: D290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598907	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598405	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598284	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595835	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 593969	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Window / User API: threadDelayed 7543			Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Window / User API: threadDelayed 2286			Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe TID: 7532	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7264	Thread sleep count: 7543 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7264	Thread sleep count: 2286 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598284s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595835s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -595032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe TID: 7220	Thread sleep time: -593969s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598907	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598405	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598284	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595835	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Thread delayed: delay time: 593969	Jump to behavior

Source: Payment slip.exe, 00000003.00000002.3659737346.00000000014C4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment slip.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment slip.exe

Memory written: C:\Users\user\Desktop\Payment slip.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Process created: C:\Users\user\Desktop\Payment slip.exe "C:\Users\user\Desktop\Payment slip.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Users\user\Desktop\Payment slip.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Users\user\Desktop\Payment slip.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment slip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3660519204.000000000328F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Payment slip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Payment slip.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Payment slip.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.Payment slip.exe.443a310.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Payment slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.443a310.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.43d50f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment slip.exe.436fed0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3660519204.000000000328F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment slip.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment slip.exe PID: 7692, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment slip.exe	44%	Virustotal		Browse
Payment slip.exe	61%	ReversingLabs	Win32.Backdoor.njRAT
Payment slip.exe	100%	Avira	HEUR/AGEN.1306911

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000317D000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003253000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment slip.exe, 00000003.00000002.3660519204.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Payment slip.exe, 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031CC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Payment slip.exe, 00000003.00000002.3660519204.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003273000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003229000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.000000000321C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Payment slip.exe, 00000001.00000002.1216305549.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3658162162.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Payment slip.exe, 00000003.00000002.3660519204.0000000003189000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638158
Start date and time:	2025-03-14 09:09:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment slip.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 153 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Payment slip.exe, PID 7692 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:10:05	API Interceptor	11209396x Sleep call for process: Payment slip.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	https://t.co/6BJID9q49h	Get hash	malicious	HTMLPhisher	Browse	tcerfw.wittnng.sbs/favicon.ico
	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment slip.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Windows Analysis Report
Payment slip.exe