Loading ...

Play interactive tourEdit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Sample Name:CN-Invoice-XXXXX9808-19011143287989.exe
Analysis ID:355908
MD5:379482795da0042d0070e6ae599a369b
SHA1:baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
SHA256:7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
Tags:exeFedEx

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN-Invoice-XXXXX9808-19011143287989.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' MD5: 379482795DA0042D0070E6AE599A369B)
    • powershell.exe (PID: 7088 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 5956 cmdline: 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7092 cmdline: 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 4488 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6748 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5992 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • svchost.exe (PID: 6988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4984 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6680 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5988 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 1284 cmdline: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: 379482795DA0042D0070E6AE599A369B)
  • explorer.exe (PID: 5320 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5552 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 3980 cmdline: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: 379482795DA0042D0070E6AE599A369B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10f75:$x1: NanoCore.ClientPluginHost
  • 0x43d95:$x1: NanoCore.ClientPluginHost
  • 0x10fb2:$x2: IClientNetworkHost
  • 0x43dd2:$x2: IClientNetworkHost
  • 0x14ae5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x47905:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10cdd:$a: NanoCore
    • 0x10ced:$a: NanoCore
    • 0x10f21:$a: NanoCore
    • 0x10f35:$a: NanoCore
    • 0x10f75:$a: NanoCore
    • 0x43afd:$a: NanoCore
    • 0x43b0d:$a: NanoCore
    • 0x43d41:$a: NanoCore
    • 0x43d55:$a: NanoCore
    • 0x43d95:$a: NanoCore
    • 0x10d3c:$b: ClientPlugin
    • 0x10f3e:$b: ClientPlugin
    • 0x10f7e:$b: ClientPlugin
    • 0x43b5c:$b: ClientPlugin
    • 0x43d5e:$b: ClientPlugin
    • 0x43d9e:$b: ClientPlugin
    • 0x10e63:$c: ProjectData
    • 0x43c83:$c: ProjectData
    • 0x1186a:$d: DESCrypto
    • 0x4468a:$d: DESCrypto
    • 0x19236:$e: KeepAlive
    00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x36cc2d:$x1: NanoCore.ClientPluginHost
    • 0x39fa4d:$x1: NanoCore.ClientPluginHost
    • 0x36cc6a:$x2: IClientNetworkHost
    • 0x39fa8a:$x2: IClientNetworkHost
    • 0x37079d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x3a35bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x4e3ad:$x1: NanoCore.ClientPluginHost
        • 0x811cd:$x1: NanoCore.ClientPluginHost
        • 0x4e3ea:$x2: IClientNetworkHost
        • 0x8120a:$x2: IClientNetworkHost
        • 0x51f1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x84d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 28 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeReversingLabs: Detection: 29%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeVirustotal: Detection: 28%Perma Link
        Source: CN-Invoice-XXXXX9808-19011143287989.exeReversingLabs: Detection: 29%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeJoe Sandbox ML: detected

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr
        Source: global trafficHTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: global trafficHTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
        Source: svchost.exe, 0000000D.00000003.795855596.0000026432D81000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-19T10:50:01.6036639Z||.||b88a9442-a46c-4c16-992a-1cd8e1c09bc0||1152921505693203979||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
        Source: svchost.exe, 0000000D.00000003.795855596.0000026432D81000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-19T10:50:01.6036639Z||.||b88a9442-a46c-4c16-992a-1cd8e1c09bc0||1152921505693203979||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
        Source: svchost.exe, 0000000D.00000003.795891183.0000026432D63000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
        Source: svchost.exe, 0000000D.00000003.795891183.0000026432D63000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
        Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
        Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
        Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
        Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
        Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.939330747.000000000304E000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
        Source: svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html
        Source: powershell.exe, 0000000F.00000002.922230907.0000000000A05000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
        Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.939999983.00000000045A1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
        Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
        Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
        Source: AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://www.nirsoft.net/
        Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
        Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
        Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
        Source: powershell.exe, 00000008.00000003.848557817.0000000005ADE000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
        Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
        Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
        Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
        Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: CN-Invoice-XXXXX9808-19011143287989.exe
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_0660DFF0 NtSetInformationThread,0_2_0660DFF0
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybjJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_010820800_2_01082080
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_010820700_2_01082070
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_0108CEC00_2_0108CEC0
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_0108B27C0_2_0108B27C
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_066073500_2_06607350
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeCode function: 0_2_065E00400_2_065E0040
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 22_2_050B207022_2_050B2070
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 22_2_050BB27C22_2_050BB27C
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 26_2_013D207026_2_013D2070
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 26_2_013DEB7126_2_013DEB71
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 26_2_013DCAEC26_2_013DCAEC
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 26_2_013DEB9126_2_013DEB91
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 26_2_013DCAE026_2_013DCAE0
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeCode function: 26_2_013DB27C26_2_013DB27C
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: svchost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: CN-Invoice-XXXXX9808-19011143287989.exeBinary or memory string: OriginalFilename vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.805265607.0000000000702000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRJFBoOwW.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.844279687.0000000003D0B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.877180450.0000000006140000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYHjI Bhf.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exeBinary or memory string: OriginalFilenameRJFBoOwW.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: classification engineClassification label: mal100.troj.evad.winEXE@28/13@3/3
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeCode function: 10_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,10_2_00408FC9
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeCode function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,11_2_00408FC9
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeCode function: 10_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,10_2_004095FD
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeCode function: 10_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,10_2_0040A33B
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeCode function: 10_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,10_2_00401306
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Invoice-XXXXX9808-19011143287989.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9aJump to behavior
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: CN-Invoice-XXXXX9808-19011143287989.exeVirustotal: Detection: 28%
        Source: CN-Invoice-XXXXX9808-19011143287989.exeReversingLabs: Detection: 29%
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeFile read: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeProcess created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior