Loading ...

Play interactive tourEdit tour

Windows Analysis Report SALES INVOICE-CINV-00095891.exe

Overview

General Information

Sample Name:SALES INVOICE-CINV-00095891.exe
Analysis ID:532655
MD5:7fb60726a32580224bbe792404c89b03
SHA1:bc1d157f57b8137d266fbb7e10c59d7d5592630d
SHA256:009e42eeca36392c1e89ae2f75ee45d7e3fc71cadc7d2103d44a98657a6bc471
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SALES INVOICE-CINV-00095891.exe (PID: 3112 cmdline: "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe" MD5: 7FB60726A32580224BBE792404C89B03)
    • RegSvcs.exe (PID: 4420 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 6308 cmdline: "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@elastopolytec.com", "Password": "id184@2014", "Host": "mail.elastopolytec.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.692645247.0000000003284000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe" , ParentImage: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe, ParentProcessId: 3112, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4420
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe" , ParentImage: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe, ParentProcessId: 3112, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4420

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.0.RegSvcs.exe.400000.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@elastopolytec.com", "Password": "id184@2014", "Host": "mail.elastopolytec.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SALES INVOICE-CINV-00095891.exeVirustotal: Detection: 49%Perma Link
                      Source: SALES INVOICE-CINV-00095891.exeMetadefender: Detection: 22%Perma Link
                      Source: SALES INVOICE-CINV-00095891.exeReversingLabs: Detection: 82%
                      Source: 4.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000008.00000000.754390057.0000000000382000.00000002.00020000.sdmp, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr
                      Source: Joe Sandbox ViewASN Name: LEASEWEB-DE-FRA-10DE LEASEWEB-DE-FRA-10DE
                      Source: Joe Sandbox ViewIP Address: 78.159.106.214 78.159.106.214
                      Source: global trafficTCP traffic: 192.168.2.4:49827 -> 78.159.106.214:587
                      Source: global trafficTCP traffic: 192.168.2.4:49827 -> 78.159.106.214:587
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://TgMQMD.com
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://elastopolytec.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://mail.elastopolytec.com
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691813769.0000000001777000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com5
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691813769.0000000001777000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: RegSvcs.exe, 00000004.00000003.888297672.0000000005E4E000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://f7YBey8N6KRpBOoc1JqK.net
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://f7YBey8N6KRpBOoc1JqK.netT
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.elastopolytec.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691207332.00000000014A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: SALES INVOICE-CINV-00095891.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_0148C1041_2_0148C104
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_0148E5401_2_0148E540
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_0148E5501_2_0148E550
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B61BE1_2_031B61BE
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B4A281_2_031B4A28
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B72001_2_031B7200
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B75281_2_031B7528
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B5E201_2_031B5E20
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B4A181_2_031B4A18
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B72A11_2_031B72A1
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_077800401_2_07780040
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_07782DE31_2_07782DE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0102AB284_2_0102AB28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010227684_2_01022768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01021FF04_2_01021FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0102E3F04_2_0102E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0104C1584_2_0104C158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010400644_2_01040064
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010478884_2_01047888
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01042A6D4_2_01042A6D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010456A04_2_010456A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0104B1604_2_0104B160
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01048E484_2_01048E48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C47A04_2_012C47A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C3CCC4_2_012C3CCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C46B04_2_012C46B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C54904_2_012C5490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C3CC04_2_012C3CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F356904_2_05F35690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F316204_2_05F31620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F370104_2_05F37010
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F34E704_2_05F34E70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F31E104_2_05F31E10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F3ABD84_2_05F3ABD8
                      Source: SALES INVOICE-CINV-00095891.exeBinary or memory string: OriginalFilename vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691207332.00000000014A0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.690344518.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISymbolMeth.exeN vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUxDdSarWZpLFqEPnALjm.exe4 vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694505753.00000000075F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUxDdSarWZpLFqEPnALjm.exe4 vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exeBinary or memory string: OriginalFilenameISymbolMeth.exeN vs SALES INVOICE-CINV-00095891.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SALES INVOICE-CINV-00095891.exeVirustotal: Detection: 49%
                      Source: SALES INVOICE-CINV-00095891.exeMetadefender: Detection: 22%
                      Source: SALES INVOICE-CINV-00095891.exeReversingLabs: Detection: 82%
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe"
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe"
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe"
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SALES INVOICE-CINV-00095891.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMutant created: \Sessions\1\BaseNamedObjects\rpvuinoqqRDQgL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01
                      Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000008.00000000.754390057.0000000000382000.00000002.00020000.sdmp, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SALES INVOICE-CINV-00095891.exe, u000fu2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SALES INVOICE-CINV-00095891.exe.ce0000.0.unpack, u000fu2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SALES INVOICE-CINV-00095891.exe.ce0000.0.unpack, u000fu2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_00CE75CE push ss; retf 1_2_00CE75D6
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B688C push 8B014245h; iretd 1_2_031B6891
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_07785E10 push eax; iretd 1_2_07785E11
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01027E3F push edi; retn 0000h4_2_01027E41
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77662695423
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess in