Loading ...

Play interactive tourEdit tour

Analysis Report NEW_INVOICE.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:1048170
Start date:24.01.2020
Start time:13:24:47
Joe Sandbox Product:Cloud
Overall analysis duration:0h 12m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:NEW_INVOICE.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@14/10@2/1
EGA Information:
  • Successful, ratio: 50%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 95%
  • Number of executed functions: 453
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Adjusted system time to: 20/1/2020
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe
  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 8.253.207.121, 8.248.123.254, 67.26.139.254, 8.248.141.254, 8.253.204.121, 13.107.4.50, 8.238.21.254, 67.26.111.254, 67.26.109.254, 8.238.20.254, 8.238.23.254
  • Excluded domains from analysis (whitelisted): au.au-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com
  • Execution Graph export aborted for target SjKMY.exe, PID 2900 because it is empty
  • Execution Graph export aborted for target SjKMY.exe, PID 3300 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
AgentTesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation221Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing3Credential Dumping2Account Discovery1Remote File Copy1Data from Local System2Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface3Hidden Files and Directories1Process Injection212Disabling Security Tools1Input Capture11Security Software Discovery231Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScheduled Task1Scheduled Task1Scheduled Task1Obfuscated Files or Information2Credentials in Registry1File and Directory Discovery2Windows Remote ManagementInput Capture11Automated ExfiltrationStandard Cryptographic Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesSystem Information Discovery114Logon ScriptsClipboard Data1Data EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessHidden Files and Directories1Account ManipulationQuery Registry1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion14Brute ForceVirtualization/Sandbox Evasion14Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection212Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeAvira: detection malicious, Label: TR/Dropper.MSIL.ugaix
Source: C:\Users\user\AppData\Roaming\lNzSaUcIhlGHF.exeAvira: detection malicious, Label: TR/Dropper.MSIL.ugaix
Antivirus detection for sampleShow sources
Source: NEW_INVOICE.exeAvira: detection malicious, Label: TR/Dropper.MSIL.ugaix
Found malware configurationShow sources
Source: SjKMY.exe.2900.13.memstrMalware Configuration Extractor: Agenttesla {"To: ": "rameshwar.raut@eminentleague.com", "ByHost:": "mail.eminentleague.com:587", "From: ": "rameshwar.raut@eminentleague.com"}
Multi AV Scanner detection for submitted fileShow sources
Source: NEW_INVOICE.exeVirustotal: Detection: 73%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\lNzSaUcIhlGHF.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: NEW_INVOICE.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 13.2.SjKMY.exe.270000.0.unpackAvira: Label: TR/Dropper.MSIL.ugaix
Source: 7.0.NEW_INVOICE.exe.1230000.0.unpackAvira: Label: TR/Dropper.MSIL.ugaix
Source: 8.0.SjKMY.exe.270000.0.unpackAvira: Label: TR/Dropper.MSIL.ugaix
Source: 13.0.SjKMY.exe.270000.0.unpackAvira: Label: TR/Dropper.MSIL.ugaix
Source: 13.2.SjKMY.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 1.0.NEW_INVOICE.exe.1230000.0.unpackAvira: Label: TR/Dropper.MSIL.ugaix
Source: 7.2.NEW_INVOICE.exe.1230000.6.unpackAvira: Label: TR/Dropper.MSIL.ugaix
Source: 7.2.NEW_INVOICE.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking:

barindex
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_0027A09A recv,7_2_0027A09A
Found strings which match to known social media urlsShow sources
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mail.eminentleague.com
Urls found in memory or binary dataShow sources
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.7.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: NEW_INVOICE.exe, 00000007.00000002.595738085.04D40000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.602446126.04CD0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: SjKMY.exe, 0000000D.00000002.602446126.04CD0000.00000004.00000001.sdmpString found in binary or memory: http://crl.useZ
Source: NEW_INVOICE.exe, 00000007.00000002.592342373.002C9000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: NEW_INVOICE.exe, 00000007.00000002.592342373.002C9000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: NEW_INVOICE.exe, 00000007.00000002.595764095.04D6A000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab8
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabv
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.orT
Source: NEW_INVOICE.exe, 00000007.00000002.594629850.01EC0000.00000004.00000001.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: NEW_INVOICE.exeString found in binary or memory: http://pi.hole/admin/
Source: NEW_INVOICE.exeString found in binary or memory: http://pi.hole/admin/5ManHole
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: SjKMY.exe, 0000000D.00000002.602446126.04CD0000.00000004.00000001.sdmpString found in binary or memory: http://www.usertrust.
Source: SjKMY.exe, SjKMY.exe, 0000000D.00000000.468616532.00272000.00000020.00020000.sdmp, NEW_INVOICE.exeString found in binary or memory: https://paypal.me/justinboughton
Source: NEW_INVOICE.exe, 00000007.00000002.592489886.00346000.00000004.00000020.sdmp, SjKMY.exe, 0000000D.00000002.599660337.00642000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: SjKMY.exe, 0000000D.00000002.600936606.01B80000.00000004.00000001.sdmpString found in binary or memory: https://v6745Ki5eOlpwSJ6UFt.org
Source: SjKMY.exe, 0000000D.00000002.600936606.01B80000.00000004.00000001.sdmpString found in binary or memory: https://v6745Ki5eOlpwSJ6UFt.orgH
Source: SjKMY.exe, NEW_INVOICE.exeString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=3J2L3Z4DHW9UY

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hookShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW_INVOICE.exeJump to behavior
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: NEW_INVOICE.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00ED0472 NtQuerySystemInformation,7_2_00ED0472
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00ED0441 NtQuerySystemInformation,7_2_00ED0441
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_0078335F1_2_0078335F
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_00780A501_2_00780A50
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_007853F81_2_007853F8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_007878D01_2_007878D0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_007849D01_2_007849D0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_00780A3F1_2_00780A3F
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_007878C11_2_007878C1
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00383C7D7_2_00383C7D
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF18E87_2_00EF18E8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFB8F07_2_00EFB8F0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF68787_2_00EF6878
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFBC407_2_00EFBC40
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF28347_2_00EF2834
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFE1D87_2_00EFE1D8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF89207_2_00EF8920
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFC9307_2_00EFC930
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF3AF07_2_00EF3AF0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF02F07_2_00EF02F0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF96B87_2_00EF96B8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFA6807_2_00EFA680
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFC2707_2_00EFC270
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF9F807_2_00EF9F80
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF53657_2_00EF5365
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFB8E07_2_00EFB8E0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF88F27_2_00EF88F2
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF28DC7_2_00EF28DC
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF58D27_2_00EF58D2
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2CA57_2_00EF2CA5
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF28A37_2_00EF28A3
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF34BB7_2_00EF34BB
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF80887_2_00EF8088
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF34947_2_00EF3494
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2C7E7_2_00EF2C7E
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF345B7_2_00EF345B
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF28587_2_00EF2858
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF54557_2_00EF5455
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF30297_2_00EF3029
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2C3C7_2_00EF2C3C
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFBC317_2_00EFBC31
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF10007_2_00EF1000
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF34167_2_00EF3416
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2C157_2_00EF2C15
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF29ED7_2_00EF29ED
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF35E77_2_00EF35E7
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2DFE7_2_00EF2DFE
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF31DF7_2_00EF31DF
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFB1BF7_2_00EFB1BF
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2DB37_2_00EF2DB3
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2D897_2_00EF2D89
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF359C7_2_00EF359C
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF31947_2_00EF3194
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF29907_2_00EF2990
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF316D7_2_00EF316D
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF7D647_2_00EF7D64
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2D627_2_00EF2D62
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF35757_2_00EF3575
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFB1407_2_00EFB140
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF29577_2_00EF2957
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF312E7_2_00EF312E
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2D297_2_00EF2D29
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF353C7_2_00EF353C
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF29037_2_00EF2903
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2D027_2_00EF2D02
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF32EA7_2_00EF32EA
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2EE27_2_00EF2EE2
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2AFB7_2_00EF2AFB
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF56F87_2_00EF56F8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF36DD7_2_00EF36DD
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2AD47_2_00EF2AD4
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF96A97_2_00EF96A9
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF328D7_2_00EF328D
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2A897_2_00EF2A89
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFAE867_2_00EFAE86
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF36807_2_00EF3680
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF32667_2_00EF3266
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFA6717_2_00EFA671
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2E4F7_2_00EF2E4F
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2A4A7_2_00EF2A4A
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2E257_2_00EF2E25
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF323F7_2_00EF323F
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF36357_2_00EF3635
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF360E7_2_00EF360E
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF32067_2_00EF3206
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2BEE7_2_00EF2BEE
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF73EC7_2_00EF73EC
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2FF07_2_00EF2FF0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF33CB7_2_00EF33CB
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2FC37_2_00EF2FC3
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFABD57_2_00EFABD5
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF37BB7_2_00EF37BB
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF37987_2_00EF3798
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF83607_2_00EF8360
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2B497_2_00EF2B49
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF335C7_2_00EF335C
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF37557_2_00EF3755
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2F547_2_00EF2F54
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF9F517_2_00EF9F51
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF372E7_2_00EF372E
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2B227_2_00EF2B22
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF37077_2_00EF3707
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF2F1B7_2_00EF2F1B
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF33117_2_00EF3311
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF0B107_2_00EF0B10
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F004E87_2_00F004E8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F03EB07_2_00F03EB0
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F01A0A7_2_00F01A0A
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F004D97_2_00F004D9
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F024BF7_2_00F024BF
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F006FA7_2_00F006FA
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F01A0A7_2_00F01A0A
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F01ED27_2_00F01ED2
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F006A67_2_00F006A6
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F006527_2_00F00652
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F007A27_2_00F007A2
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F033887_2_00F03388
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F03F687_2_00F03F68
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F0074E7_2_00F0074E
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F2E1587_2_00F2E158
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F2F5887_2_00F2F588
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F2EBF47_2_00F2EBF4
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F2F5787_2_00F2F578
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00F2EC667_2_00F2EC66
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_0109037A7_2_0109037A
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_010900707_2_01090070
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_010917887_2_01091788
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_010900117_2_01090011
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_01090D907_2_01090D90
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_010917617_2_01091761
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_007133608_2_00713360
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_00710A508_2_00710A50
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_007175408_2_00717540
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_007153F88_2_007153F8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_007149D08_2_007149D0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_007175308_2_00717530
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 8_2_00710A3F8_2_00710A3F
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_00233C7D13_2_00233C7D
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AC93013_2_015AC930
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A892013_2_015A8920
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AE1D813_2_015AE1D8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A25B813_2_015A25B8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015ABC4013_2_015ABC40
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A687813_2_015A6878
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AB8F013_2_015AB8F0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A18E813_2_015A18E8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A536C13_2_015A536C
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A27E813_2_015A27E8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A9F8013_2_015A9F80
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AC27013_2_015AC270
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A3AF013_2_015A3AF0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A02F013_2_015A02F0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AA68013_2_015AA680
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A96B813_2_015A96B8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A295713_2_015A2957
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AB14013_2_015AB140
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A357513_2_015A3575
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A316D13_2_015A316D
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2D6213_2_015A2D62
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A7D6413_2_015A7D64
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A891013_2_015A8910
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2D0213_2_015A2D02
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A290313_2_015A2903
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A353C13_2_015A353C
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2D2913_2_015A2D29
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A312E13_2_015A312E
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AC92013_2_015AC920
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A31DF13_2_015A31DF
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AE1C813_2_015AE1C8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2DFE13_2_015A2DFE
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A29ED13_2_015A29ED
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A35E713_2_015A35E7
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A359C13_2_015A359C
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A299013_2_015A2990
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A319413_2_015A3194
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2D8913_2_015A2D89
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AB1BF13_2_015AB1BF
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2DB313_2_015A2DB3
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A345B13_2_015A345B
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A285813_2_015A2858
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A545513_2_015A5455
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2C7E13_2_015A2C7E
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AE81013_2_015AE810
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A341613_2_015A3416
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2C1513_2_015A2C15
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2C3C13_2_015A2C3C
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015ABC3113_2_015ABC31
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A283413_2_015A2834
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A302913_2_015A3029
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A442113_2_015A4421
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A28DC13_2_015A28DC
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A58D213_2_015A58D2
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A5CF013_2_015A5CF0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A5CE013_2_015A5CE0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AB8E013_2_015AB8E0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A349413_2_015A3494
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A808813_2_015A8088
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A34BB13_2_015A34BB
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A28A313_2_015A28A3
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2CA513_2_015A2CA5
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A335C13_2_015A335C
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A9F5113_2_015A9F51
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A635613_2_015A6356
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2F5413_2_015A2F54
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A375513_2_015A3755
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2B4913_2_015A2B49
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A836013_2_015A8360
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2F1B13_2_015A2F1B
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A0B1013_2_015A0B10
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A331113_2_015A3311
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A370713_2_015A3707
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A372E13_2_015A372E
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2B2213_2_015A2B22
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AABD513_2_015AABD5
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A33CB13_2_015A33CB
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2FC313_2_015A2FC3
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2FF013_2_015A2FF0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2BEE13_2_015A2BEE
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A73EC13_2_015A73EC
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A379813_2_015A3798
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A37BB13_2_015A37BB
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2A4A13_2_015A2A4A
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015ADA4813_2_015ADA48
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2E4F13_2_015A2E4F
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AA67113_2_015AA671
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A326613_2_015A3266
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A360E13_2_015A360E
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A320613_2_015A3206
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A323F13_2_015A323F
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A363513_2_015A3635
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2E2513_2_015A2E25
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A36DD13_2_015A36DD
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2AD413_2_015A2AD4
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2AFB13_2_015A2AFB
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A56F813_2_015A56F8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A32EA13_2_015A32EA
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2EE213_2_015A2EE2
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A2A8913_2_015A2A89
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A328D13_2_015A328D
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A368013_2_015A3680
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015AAE8613_2_015AAE86
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015A96A913_2_015A96A9
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C04E813_2_015C04E8
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C1A0A13_2_015C1A0A
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C3EB013_2_015C3EB0
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C04D913_2_015C04D9
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C24BF13_2_015C24BF
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C074E13_2_015C074E
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C3F6813_2_015C3F68
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C338813_2_015C3388
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C07A213_2_015C07A2
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C065213_2_015C0652
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C1ED213_2_015C1ED2
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C1A0A13_2_015C1A0A
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C06FA13_2_015C06FA
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_015C06A613_2_015C06A6
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_0178037913_2_01780379
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_0178007013_2_01780070
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_0178123013_2_01781230
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_01780D6013_2_01780D60
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_01780D5013_2_01780D50
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_0178001213_2_01780012
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_0178124013_2_01781240
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_017AE15813_2_017AE158
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_017AF58813_2_017AF588
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_017AF57813_2_017AF578
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_017AEBF413_2_017AEBF4
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeCode function: 13_2_017AEC6613_2_017AEC66
Sample file is different than original file name gathered from version infoShow sources
Source: NEW_INVOICE.exe, 00000001.00000002.320768514.012BA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameManHole.exe0 vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.320571277.01220000.00000008.00000001.sdmpBinary or memory string: originalfilename vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.320571277.01220000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.321842021.03F40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCyaX.dll0 vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.318507957.007D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoftware Updates.dllB vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.320873231.01F1B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameetyhsYVkzJvsTBHqhWuvbBmDtVNgNDqwJlorOeh.exe4 vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.318657678.00890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.317791403.00313000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.320481184.01150000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000001.00000002.320508341.011A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.594558286.012BA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameManHole.exe0 vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.595383481.03EC0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamewinhttp.dll.muij% vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.594263316.01050000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.594317226.010A0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.592179329.002A3000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.592342373.002C9000.00000004.00000020.sdmpBinary or memory string: OriginalFilename#\?n vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.594342998.011B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.592774692.0044A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameetyhsYVkzJvsTBHqhWuvbBmDtVNgNDqwJlorOeh.exe4 vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.594175188.00F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.595455160.04180000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameKernelbasej% vs NEW_INVOICE.exe
Source: NEW_INVOICE.exe, 00000007.00000002.593072146.007E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs NEW_INVOICE.exe
Source: NEW_INVOICE.exeBinary or memory string: OriginalFilenameManHole.exe0 vs NEW_INVOICE.exe
Yara signature matchShow sources
Source: 00000001.00000002.321842021.03F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 00000001.00000002.321842021.03F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 00000008.00000002.474216706.03ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 00000008.00000002.474216706.03ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 8.2.SjKMY.exe.3ed0000.6.raw.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 8.2.SjKMY.exe.3ed0000.6.raw.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 8.2.SjKMY.exe.3ed0000.6.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 8.2.SjKMY.exe.3ed0000.6.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 1.2.NEW_INVOICE.exe.3f40000.6.raw.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 1.2.NEW_INVOICE.exe.3f40000.6.raw.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 1.2.NEW_INVOICE.exe.3f40000.6.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 1.2.NEW_INVOICE.exe.3f40000.6.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 8.2.SjKMY.exe.3e80000.5.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 8.2.SjKMY.exe.3e80000.5.unpack, type: UNPACKEDPEMatched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: NEW_INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lNzSaUcIhlGHF.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SjKMY.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/10@2/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00ED02F6 AdjustTokenPrivileges,7_2_00ED02F6
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00ED02BF AdjustTokenPrivileges,7_2_00ED02BF
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile created: C:\Users\user\AppData\Roaming\lNzSaUcIhlGHF.exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB1D8.tmpJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.{u..0.........,...X...Qv..........................`.....#.......%.....<...............P...........W.......G..uJump to behavior
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.{u..0.....E.R.R.O.R.:. .............................zu..............zu......,...w.@...G..u..................-.Jump to behavior
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.{u..0.............$.....................................$...................-.......6.t.......j...j..u..G.....Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: NEW_INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\Desktop\NEW_INVOICE.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: NEW_INVOICE.exeVirustotal: Detection: 73%
Sample might require command line argumentsShow sources
Source: NEW_INVOICE.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: NEW_INVOICE.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: NEW_INVOICE.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: NEW_INVOICE.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: SjKMY.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: SjKMY.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: SjKMY.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: SjKMY.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will n
Source: NEW_INVOICE.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will need to update this setting.
Source: NEW_INVOICE.exeString found in binary or memory: Get your Auth key from /etc/pihole/setupVars.conf on your Pi. You want the WEBPASSWORD hash displayed in that file. You will be unable to start/stop your Pi-Hole without this. This information is only stored locally, and if you change your password, you will need to update this setting.
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile read: C:\Users\user\Desktop\NEW_INVOICE.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\NEW_INVOICE.exe 'C:\Users\user\Desktop\NEW_INVOICE.exe'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Get-MpPreference -verbose
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lNzSaUcIhlGHF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB1D8.tmp'
Source: unknownProcess created: C:\Users\user\Desktop\NEW_INVOICE.exe C:\Users\user\Desktop\NEW_INVOICE.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe 'C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Get-MpPreference -verbose
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lNzSaUcIhlGHF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB28F.tmp'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Get-MpPreference -verboseJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lNzSaUcIhlGHF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB1D8.tmp'Jump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess created: C:\Users\user\Desktop\NEW_INVOICE.exe C:\Users\user\Desktop\NEW_INVOICE.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Get-MpPreference -verboseJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lNzSaUcIhlGHF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB28F.tmp'Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess created: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: NEW_INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: NEW_INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb source: NEW_INVOICE.exe, 00000001.00000002.321842021.03F40000.00000004.00000001.sdmp, SjKMY.exe, 00000008.00000002.472784341.0196B000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: NEW_INVOICE.exe, 00000001.00000002.318657678.00890000.00000002.00000001.sdmp, NEW_INVOICE.exe, 00000007.00000002.594342998.011B0000.00000002.00000001.sdmp, SjKMY.exe, 00000008.00000002.474032664.03E20000.00000002.00000001.sdmp, SjKMY.exe, 0000000D.00000002.601889277.03B80000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_0123793A push cs; retn 000Eh1_2_012379BC
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_01237F0D push cs; ret 1_2_01237FC4
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_01237877 push cs; retn 000Eh1_2_012379BC
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_01235BBC push cs; ret 1_2_01235BC8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_012358F0 push cs; ret 1_2_01235B48
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_012379FB push cs; ret 1_2_01237A84
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_01237FC5 push cs; ret 1_2_01238084
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_012379C4 push cs; ret 1_2_01237A84
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_01235CC9 push cs; ret 1_2_01235D48
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_00287839 push eax; retn 0028h1_2_002878A5
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_00287839 push eax; retn 0028h1_2_002878C1
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_002880A5 push esp; ret 1_2_002880DD
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_002878E9 pushad ; retn 0028h1_2_00287901
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_002878C8 pushad ; retn 0028h1_2_002878E5
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 1_2_002878C8 pushad ; retn 0028h1_2_00287901
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_0123793A push cs; retn 000Eh7_2_012379BC
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_01237F0D push cs; ret 7_2_01237FC4
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_01237877 push cs; retn 000Eh7_2_012379BC
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_01235BBC push cs; ret 7_2_01235BC8
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_012358F0 push cs; ret 7_2_01235B48
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_012379FB push cs; ret 7_2_01237A84
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_01237FC5 push cs; ret 7_2_01238084
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_012379C4 push cs; ret 7_2_01237A84
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_01235CC9 push cs; ret 7_2_01235D48
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_0038907D pushad ; retn 0038h7_2_0038908D
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_003890E0 push esp; retn 0038h7_2_003890FD
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_0038915C push esp; retn 0038h7_2_00389169
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00389692 push ecx; ret 7_2_00389695
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00384FA1 push 50390002h; iretd 7_2_00384FA9
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EF7191 push esi; ret 7_2_00EF71A7
Source: C:\Users\user\Desktop\NEW_INVOICE.exeCode function: 7_2_00EFD24F push es; retf 7_2_00EFD260
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.40004234633
Source: initial sampleStatic PE information: section name: .text entropy: 7.40004234633
Source: initial sampleStatic PE information: section name: .text entropy: 7.40004234633
.NET source code contains many randomly named methodsShow sources
Source: NEW_INVOICE.exe, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: NEW_INVOICE.exe, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: lNzSaUcIhlGHF.exe.1.dr, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: lNzSaUcIhlGHF.exe.1.dr, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 1.0.NEW_INVOICE.exe.1230000.0.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 1.0.NEW_INVOICE.exe.1230000.0.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 1.2.NEW_INVOICE.exe.1230000.5.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 1.2.NEW_INVOICE.exe.1230000.5.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: SjKMY.exe.7.dr, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: SjKMY.exe.7.dr, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 7.0.NEW_INVOICE.exe.1230000.0.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 7.0.NEW_INVOICE.exe.1230000.0.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 7.2.NEW_INVOICE.exe.1230000.6.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 7.2.NEW_INVOICE.exe.1230000.6.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 8.2.SjKMY.exe.270000.0.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 8.2.SjKMY.exe.270000.0.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 8.0.SjKMY.exe.270000.0.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 8.0.SjKMY.exe.270000.0.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'
Source: 13.2.SjKMY.exe.270000.0.unpack, ManHole/gRDP.csHigh entropy of concatenated method names: '.ctor', 'ceccTWDomyAWGsbYfaKNUOUfueBaYuYSrywN', 'GekvLxQJPFLCrLTiSxihEEWEzmBnPpbZAH', 'SpELbVgRRdJsmFrzcwimhBsdJIKQIfOkg', 'yJpCyqDZZjbNHbWolbRrFuDBheHtFCjEnVzV', 'LvjwzTcIDfqajkgHtgmBrsUepIuVqXmKr', 'TgXuEOoAyaewYFcImbavxLUHfJAnbIKDiuSr', 'wEZPhmvhcOAUyLABPdvkgLmelgJCTyiXYss', 'gJFoocbSbqcdGJUUwWOhirJkqOmPhQGwZU', 'JuewCwwyBnyzCXtaNconXFvCsxlozmAVdD'
Source: 13.2.SjKMY.exe.270000.0.unpack, ManHole/cyvBzJ.csHigh entropy of concatenated method names: '.ctor', 'NeNPrejckhVXOJSsvlxqNXXNZBBXzWjrHV', 'PyGRJqLdImArgEHriNGtrxeHNLtAIiEdALjL', 'ujoZtSfZJdGfitbOxEbgrBTVXoRmCblxsCV', 'HJXNkiiNDrJRRPLKiceHiAsNCoDVlLxwa', 'RqHeYaNpuGtYCeozpYLOGzvewlRhXZoLk', 'XloCXDOxKtkWsEWVDSlNpgaEDqfUPgsUs', 'wlioHZoYoToZnwAELAjBEJChvnGXkXbdabTk', 'ueJjyxQcfzzoEzcxpJspcKSjydffuCOwczvJ', 'yYlBnrelsxXghmsKufgkAlDpVTQaBrLXHOsn'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile created: C:\Users\user\AppData\Roaming\lNzSaUcIhlGHF.exeJump to dropped file
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile created: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lNzSaUcIhlGHF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB1D8.tmp'
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MNltZVnoJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MNltZVnoJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeFile opened: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeFile opened: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe:Zone.Identifier read attributes | deleteJump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: SjKMY.exe PID: 3300, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NEW_INVOICE.exe PID: 3540, type: MEMORY
Yara detected Cassandra CrypterShow sources
Source: Yara matchFile source: 00000008.00000002.472784341.0196B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.321842021.03F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.320873231.01F1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.474216706.03ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SjKMY.exe PID: 3300, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NEW_INVOICE.exe PID: 3540, type: MEMORY
Source: Yara matchFile source: 8.2.SjKMY.exe.3ed0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.NEW_INVOICE.exe.3f40000.6.raw.unpack, type: UNPACKEDPE
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: NEW_INVOICE.exe, 00000001.00000002.320855805.01F0F000.00000004.00000001.sdmp, SjKMY.exe, 00000008.00000002.472767399.0195F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NEW_INVOICE.exe, 00000001.00000002.320855805.01F0F000.00000004.00000001.sdmp, SjKMY.exe, 00000008.00000002.472767399.0195F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exeThread delayed: delay time: 1200000Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 3740Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 3516Thread sleep time: -50397s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 3680Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 3680Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 3616Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 4000Thread sleep time: -540000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 3964Thread sleep time: -32000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 2932Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\NEW_INVOICE.exe TID: 4080Thread sleep time: -32000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 4060Thread sleep time: -420000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 4048Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 3268Thread sleep time: -46960s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 4060Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 2236Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 2856Thread sleep time: -540000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 2288Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 2288Thread sleep time: -33000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\dDFKPCD\SjKMY.exe TID: 2652