Windows Analysis Report
invoice.exe

Overview

General Information

Sample Name:	invoice.exe
Analysis ID:	828743
MD5:	f111934675c34cca18d9d76fc34a2e40
SHA1:	6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256:	c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May check the online IP address of the machine

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Drops certificate files (DER)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Abnormal high CPU Usage

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: invoice.exe	Virustotal: Detection: 27%			Perma Link
Source: invoice.exe	ReversingLabs: Detection: 35%

Uses 32bit PE files

Source: invoice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdbIN source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: CasPol.exe, 00000005.00000002.8995413020.0000000006F1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\caspol.pdb. source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcaspol.PDB 7 source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: m,C:\Windows\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\caspol.pdbr^ source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbe089 source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdbN_ source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 9##.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c7symbols\exe\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406268 FindFirstFileA,FindClose,	1_2_00406268
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_004026F8 FindFirstFileA,	1_2_004026F8

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 377478CCh		5_2_37746DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		5_2_37746300

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.11.20:49842 -> 193.122.130.0:80

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.122.130.0 193.122.130.0

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-a8-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000005.00000003.8679430245.0000000006ED3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: invoice.exe, invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.avast.com0/
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000005.00000003.8679430245.0000000006EFD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-a8-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49841 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

1_2_004051CA

Drops certificate files (DER)

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

Jump to dropped file

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: invoice.exe

Uses 32bit PE files

Source: invoice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004031F1

Detected potential crypto function

Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406742	1_2_00406742
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00404A09	1_2_00404A09
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406F19	1_2_00406F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_37746DE3	5_2_37746DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_37746300	5_2_37746300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_377462EF	5_2_377462EF

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\invoice.exe

Process Stats: CPU usage > 98%

PE file does not import any functions

Source: lang-1059.dll.1.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: invoice.exe, 00000001.00000000.7326884916.0000000000441000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamepaaklders Nonblameful.exe` vs invoice.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\invoice.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: invoice.exe

Static PE information: invalid certificate

Source: invoice.exe	Virustotal: Detection: 27%
Source: invoice.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\user\Desktop\invoice.exe

Source: unknown	Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1520

Source: Mss32.dll.1.dr	Static PE information: section name: MSSMIXER
Source: NMDllHost.exe.1.dr	Static PE information: section name: .shared

Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Jump to dropped file

Source: C:\Users\user\Desktop\invoice.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\invoice.exe	API call chain: ExitProcess graph end node

Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: invoice.exe, 00000001.00000002.8702090248.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: invoice.exe, 00000001.00000002.8702090248.0000000000658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exen<
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006EAC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	true
142.250.184.206	drive.google.com	United States	15169	GOOGLEUS	false
142.250.186.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa	false		high

ID:	828743
Product:	CloudBasic
Start time:	14:30:04
Start date:	17.03.2023
Sample:	invoice.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	f111934675c34cca18d9d76fc34a2e40
SHA1:	6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256:	c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_d8eda6a1754a151dd5173ca6db3e65435df63db_ea830a9b_04bcfbd1-2c77-4702-aba0-8ccec9d684fc\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	AA43B8BBA15A813BFCCD02E862007CD8	8250B873BAC21F5986212B2451B512E48B4349D5	2D416E1A3C441D6B7DCF6EF0F287F15ED46DCEF848C32BEB31D02196D402DB63
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36E.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Mar 17 14:34:35 2023, 0x1205a4 type	7EBCA7182F74A342B0C77C9FE8DDC072	1F7A577A9AC5731E0DD8130DDBB8B5B01D0F496E	8D93AC888DBA63A724D6827FCEA592EE97BE5E19BFAE9131BD861813E6C644E5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD563.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A6EEA52F37433165774D6A66E6B6994F	97AEC2A821BA4337326EB3BDEE28195E298F6291	5F4ECF6632344627BA5B494DEAB0E0E9F97E194E1F1FDC699D9985AADE578C43
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD593.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5770CD5EAA63B08F65E7E38543698591	E440A41F9A3DAE38151312126A08FA17C818B0D2	5D8A6CD4D2DE8A2B0B46B87FAEAB8B31E6622D0C5EF81970C9D65975B37CA94E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\icon-ui.icns	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B47C741673A92A16B48140FCBDA04030	AA7A003DA656320A274F276EE4BF8C27203D1B4C	E6E775E7A5AC1BFA01B5A5CB9A7532171817408E67E346E33CA3CB091BDEA478
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	PE32 executable (console) Intel 80386, for MS Windows	86B8B1F5C1189D68B07666784BE882FE	B023E9442CFC9C9652E1C8990F06DEF08BDC5B01	0DD8C627F3DDBDB61B1910540C465C0D62C9F8D84C7CBB6C80782DB02D535AF0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat	data	DBE99D951395F37E5C3F4164D8A22245	238EF179549F6AEB2E3C6F4188365814A965312B	671CB26C75AC0256B07835AE00E7018AF6126FAE7400BF21E57707E0CC9164B5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B75A8E0DDEEB4330C1DBA37105244B0F	E5302CA8517AC2826B5D56E3395D41C34B5B3DF7	CC142B9D8B5223E2720C6440CB7A124C0A80D2FB04ECF59AD7331DFD6E3CB51F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DBF787BD6E5CE77FB34FF281A144EB96	50B7799ECCA566BE35429828245D44CB04AD8885	CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Stemningssvingning\Urgently.Suk	ASCII text, with very long lines (52812), with no line terminators	4C6FAD70762561B0D38AA152C52796A8	9FAFD1E9CF41E5482AC7960F7F0C20AB5B703D30	C7CC1E08C3B0850EF02E7F4371D71918B55686581FDE5D124149884EE56C8F4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\SourceCodePro-ExtraLight.otf	OpenType font data	9ECC8DF598E9EDDE1072942D344CC0CF	9FF240AB48EB7E97237E25D8C6F8CD738BA97CAA	D945E1C81A59A434E36EEDEF21E64B61CC6901A9E43936AF79C20BDBF57592B1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\cs.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	641B90F9AEDFC68486D0D20B40F7ECA6	0A683DD844534905336784FADD80498AFE26F6FA	87A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B839
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\figuranternes.Han	data	DF0C864AD6FE636F3AD391B04A408AC7	B0072D5406BA66EDD9F6A1A443D56378BDA688C5	A802EB02B9345615A947C6B8B57441D7DEBD4300FFEAFC16623CE18F68CABBF2
C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\AdvSplash.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	88C3BA1802AEF228541820767453E058	4F3AEFB9E4EC27CB49973CB19BD968E54A2BA676	2722555EC1F72523774B64D25FD4C2B460000BFE82140876D6100DC4FB1F62B1
C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C9473CB90D79A374B2BA6040CA16E45C	AB95B54F12796DCE57210D65F05124A6ED81234A	B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	6B3E54A24A9E83963E044BE36E344CD6	FE8383F68D875A4C9E711E7878D7385C1612CCCA	D3FF0F24C8D20A5005CC564DEB0B197A5FBF1506F3F1388D50292DD118698312
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	51B02C650B9F903CC6EEACB3A10D21A5	4EA07D7465F2429B16A13D2058F8A4B25CC65AE4	30B4E3705D8FAC7230A89C328F433F7EEC2FA552181EE91AB39F4B13A7ED70ED
\Device\ConDrv	ASCII text, with CRLF, LF line terminators	8D14AB4128F9BFE3E4F5F9B160BBFFE7	7EA846DF04D4120A819DB47723C716BF2610E5CD	91D7EA682DB129FD33DA04168DB3BFCA08EA8B6CB0533C559E0ADC0DA5BD56E8

Windows Analysis Report invoice.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
invoice.exe