Play interactive tour

Edit tour

Analysis Report y3t4g48gj6_PAYMENT.exe

Overview

General Information

Sample Name:	y3t4g48gj6_PAYMENT.exe
Analysis ID:	411514
MD5:	9998f7e0c708ba1fa4b56235a9811c0f
SHA1:	e3810d21600bb0113b2d7116347326beb6a35d83
SHA256:	9f44f33f1b0b724292959b65ae6f2918cb1993641ad7832ffdbd68fc00fdda2c
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

y3t4g48gj6_PAYMENT.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

powershell.exe (PID: 4668 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1912 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6336 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4752 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

y3t4g48gj6_PAYMENT.exe (PID: 6644 cmdline: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

y3t4g48gj6_PAYMENT.exe (PID: 6868 cmdline: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

WerFault.exe (PID: 5760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6824 cmdline: 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

svchost.exe (PID: 4696 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6396 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5980 cmdline: 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5280 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f8dffc54-5ec5-4013-9de8-d8d85368", "Group": "CODEDBASE", "Domain1": "omaprilcode.duckdns.org", "Domain2": "omaprilcode.duckdns.org", "Port": 8090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3bf37d:$x1: NanoCore.ClientPluginHost 0x3bf3ba:$x2: IClientNetworkHost 0x3c2eed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bf0e5:$a: NanoCore 0x3bf0f5:$a: NanoCore 0x3bf329:$a: NanoCore 0x3bf33d:$a: NanoCore 0x3bf37d:$a: NanoCore 0x3bf144:$b: ClientPlugin 0x3bf346:$b: ClientPlugin 0x3bf386:$b: ClientPlugin 0x3bf26b:$c: ProjectData 0x3bfc72:$d: DESCrypto 0x3c763e:$e: KeepAlive 0x3c562c:$g: LogClientMessage 0x3c1827:$i: get_Connected 0x3bffa8:$j: #=q 0x3bffd8:$j: #=q 0x3bfff4:$j: #=q 0x3c0024:$j: #=q 0x3c0040:$j: #=q 0x3c005c:$j: #=q 0x3c008c:$j: #=q 0x3c00a8:$j: #=q
Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5ecfd3:$x1: NanoCore.ClientPluginHost 0x5ed034:$x2: IClientNetworkHost 0x5f2439:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6003ab:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5ecad8:$a: NanoCore 0x5ecaf4:$a: NanoCore 0x5ecc4f:$a: NanoCore 0x5ecc5e:$a: NanoCore 0x5ecf37:$a: NanoCore 0x5ecf63:$a: NanoCore 0x5ecfd3:$a: NanoCore 0x5fca15:$a: NanoCore 0x5fca27:$a: NanoCore 0x5fca63:$a: NanoCore 0x5ecb7f:$b: ClientPlugin 0x5ecca8:$b: ClientPlugin 0x5ecf6c:$b: ClientPlugin 0x5ecfdc:$b: ClientPlugin 0x5fca30:$b: ClientPlugin 0x5fca6c:$b: ClientPlugin 0x5ecdf5:$c: ProjectData 0x5fc962:$c: ProjectData 0x20a6b44:$c: ProjectData 0x20a993b:$c: ProjectData 0x5edf31:$d: DESCrypto
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 3 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe, ProcessId: 6868, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' , ParentImage: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe, ParentProcessId: 7028, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force, ProcessId: 4668

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f8dffc54-5ec5-4013-9de8-d8d85368", "Group": "CODEDBASE", "Domain1": "omaprilcode.duckdns.org", "Domain2": "omaprilcode.duckdns.org", "Port": 8090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: y3t4g48gj6_PAYMENT.exe

ReversingLabs: Detection: 14%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: y3t4g48gj6_PAYMENT.exe

Joe Sandbox ML: detected

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.405369996.0000000000C5B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbX source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: ml.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Dynamic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbv}F source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbl}L source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Dynamic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: psapi.pdbGLK source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb\| source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbULY source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbILM source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb^}~ source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: indows.Forms.pdb{{ source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb8 source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: t.CSharp.pdb&& source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ynamic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: p8C:\Windows\System.Core.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: urlmon.pdb/Lc source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbtXm. source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562854544.0000000001A5B000.00000004.00000020.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: .pdb0 source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb= source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdbV source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb;L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb`}p source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000014.00000003.460718316.0000000005078000.00000004.00000040.sdmp
Source:	Binary string: pe.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbx}X source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb#L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: profapi.pdbj}J source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbCv source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb1Le source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: c.pdbisualB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbR}b source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: version.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp
Source:	Binary string: t.CSharp.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3hl source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbp source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbT}d source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: omaprilcode.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: omaprilcode.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49735 -> 194.5.97.75:8090

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.496979181.00000193D7565000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001B.00000003.496979181.00000193D7565000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.474278546.00000193D7580000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":541214496,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6","PackageId":"b3805e6c-7a08-4cff-113c-76cb28cda307-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":541214496,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6","PackageId":"b3805e6c-7a08-4cff-113c-76cb28cda307-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":541214496,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6","PackageId":"b3805e6c-7a08-4cff-113c-76cb28cda307-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001B.00000003.475043842.00000193D751E000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.474464763.00000193D7561000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.475043842.00000193D751E000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":140842379,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_970.11.116.0_x64__8xx8rvfyw5nnt","PackageId":"7f326ffb-6d38-0c43-2776-11d49b129880-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_970.11.116.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.bac

Source: unknown

DNS traffic detected: queries for: omaprilcode.duckdns.org

Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 0000001B.00000002.518530642.00000193D7500000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 0000001B.00000002.518530642.00000193D7500000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000001F.00000002.643801332.000001F18E412000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 0000001B.00000002.512670902.00000193D6C82000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 0000001B.00000002.514011239.00000193D6CEA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000001F.00000002.643801332.000001F18E412000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: svchost.exe, 0000001F.00000002.643801332.000001F18E412000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 0000001F.00000002.644438974.000001F18E630000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493537589.00000193D7566000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000003.511991021.000000000552F000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: y3t4g48gj6_PAYMENT.exe

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036BF5A8	1_2_036BF5A8
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B1170	1_2_036B1170
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B18D0	1_2_036B18D0
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B25A0	1_2_036B25A0
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B04D8	1_2_036B04D8

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: invalid certificate

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000000.321602634.0000000001372000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWEMZ Fyj.exe2 vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.635619861.0000000006BD0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 0000000C.00000002.378845446.00000000005F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 0000000E.00000003.418531659.00000000014F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 0000000E.00000000.382673075.0000000000E02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe

Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.evad.winEXE@32/27@3/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210511

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f8dffc54-5ec5-4013-9de8-d8d853682f44}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw1y3y53.hqg.ps1

Jump to behavior

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: y3t4g48gj6_PAYMENT.exe

ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File read: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780
Source: unknown	Process created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: y3t4g48gj6_PAYMENT.exe

Static file information: File size 3867176 > 1048576

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3ae400

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.405369996.0000000000C5B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbX source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: ml.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Dynamic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbv}F source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbl}L source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Dynamic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: psapi.pdbGLK source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb\| source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbULY source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbILM source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb^}~ source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: indows.Forms.pdb{{ source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb8 source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: t.CSharp.pdb&& source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ynamic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: p8C:\Windows\System.Core.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: urlmon.pdb/Lc source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbtXm. source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562854544.0000000001A5B000.00000004.00000020.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: .pdb0 source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb= source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdbV source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb;L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb`}p source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000014.00000003.460718316.0000000005078000.00000004.00000040.sdmp
Source:	Binary string: pe.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbx}X source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb#L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: profapi.pdbj}J source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbCv source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb1Le source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: c.pdbisualB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbR}b source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: version.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp
Source:	Binary string: t.CSharp.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3hl source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbp source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbT}d source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: 0xD9F65925 [Sat Nov 17 01:55:49 2085 UTC]

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_01D3F730 push esp; retf	1_2_01D3F731
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_01D3EBCC pushfd ; ret	1_2_01D3EBCD
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B4CC8 push B40368FCh; ret	1_2_036B4CCD

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown

Executable created and started: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File opened: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Section loaded: OutputDebugStringW count: 215
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Section loaded: OutputDebugStringW count: 115

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4199	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2736	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3961	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3027	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4137	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2248	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Window / User API: threadDelayed 3531
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Window / User API: threadDelayed 5320
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Window / User API: foregroundWindowGot 354

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe TID: 7032	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1724	Thread sleep count: 3961 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 956	Thread sleep count: 3027 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6020	Thread sleep count: 4137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6020	Thread sleep count: 2248 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe TID: 5724	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe TID: 5692	Thread sleep time: -400000s >= -30000s
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe TID: 6816	Thread sleep count: 100 > 30
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe TID: 5720	Thread sleep count: 100 > 30
Source: C:\Windows\System32\svchost.exe TID: 5360	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 780	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread delayed: delay time: 922337203685477

Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: powershell.exe, 00000003.00000003.590449724.0000000005756000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.593349676.00000000055E4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: svchost.exe, 0000001F.00000002.644130404.000001F18E462000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: WerFault.exe, 00000014.00000002.521043498.0000000001240000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.512350033.00000193D6C70000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.639501236.000001F188E2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: VMwareVBox
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001B.00000002.513210300.00000193D6CA8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000003.00000003.590449724.0000000005756000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.593349676.00000000055E4000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Memory written: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: y3t4g48gj6_PAYMENT.exe, 0000000E.00000003.418531659.00000000014F0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder11	Process Injection111	Masquerading221	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools11	LSASS Memory	Security Software Discovery331	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion251	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion251	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
y3t4g48gj6_PAYMENT.exe	15%	ReversingLabs	Win32.Trojan.Generic
y3t4g48gj6_PAYMENT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
omaprilcode.duckdns.org	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
omaprilcode.duckdns.org	3%	Virustotal		Browse
omaprilcode.duckdns.org	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
omaprilcode.duckdns.org	194.5.97.75	true	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
omaprilcode.duckdns.org	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000003.511991021.000000000552F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493537589.00000193D7566000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 0000001F.00000002.644438974.000001F18E630000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.75	omaprilcode.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411514
Start date:	11.05.2021
Start time:	23:52:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	y3t4g48gj6_PAYMENT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@32/27@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.5% (good quality ratio 0%) Quality average: 0.3% Quality standard deviation: 3.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 98 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.64.90.137, 92.122.145.220, 20.82.210.154, 92.122.213.194, 92.122.213.247, 93.184.221.240, 51.103.5.186, 52.155.217.156, 20.54.26.129, 40.126.31.141, 20.190.159.136, 20.190.159.134, 40.126.31.139, 20.190.159.138, 40.126.31.143, 40.126.31.4, 40.126.31.137, 52.255.188.83, 184.30.20.56, 168.61.161.212 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Execution Graph export aborted for target y3t4g48gj6_PAYMENT.exe, PID 6644 because there are no executed function Execution Graph export aborted for target y3t4g48gj6_PAYMENT.exe, PID 7028 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:53:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5 C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
23:53:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5 C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
23:53:56	API Interceptor	805x Sleep call for process: y3t4g48gj6_PAYMENT.exe modified
23:54:22	API Interceptor	12x Sleep call for process: svchost.exe modified
23:54:22	API Interceptor	147x Sleep call for process: powershell.exe modified
23:54:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.97.75	IPUt7Nr2CH.exe	Get hash	malicious	Browse
	q19CDiK5TD.exe	Get hash	malicious	Browse
	d9hGzIR8mh.exe	Get hash	malicious	Browse
	6554353_Payment_Invoice.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
omaprilcode.duckdns.org	IPUt7Nr2CH.exe	Get hash	malicious	Browse	194.5.97.75
omaprilcode.duckdns.org	q19CDiK5TD.exe	Get hash	malicious	Browse	194.5.97.75

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Quotation.jar	Get hash	malicious	Browse	194.5.98.38
	5lQuLT5Zu8.exe	Get hash	malicious	Browse	194.5.97.116
	IPUt7Nr2CH.exe	Get hash	malicious	Browse	194.5.97.75
	Passport_ID_jpg.jar	Get hash	malicious	Browse	194.5.98.228
	Vd80r7R7K5.exe	Get hash	malicious	Browse	194.5.98.208
	noVPhNP46G.exe	Get hash	malicious	Browse	194.5.98.208
	LQ0dDP64uk.exe	Get hash	malicious	Browse	194.5.98.208
	SCAN_DOCX-36673672.exe	Get hash	malicious	Browse	194.5.97.11
	4b092c1e_by_Libranalysis.docx	Get hash	malicious	Browse	194.5.98.208
	QW8lWJDpU8.exe	Get hash	malicious	Browse	194.5.98.5
	2a8f04dd_by_Libranalysis.docm	Get hash	malicious	Browse	194.5.98.210
	Invoice_orderYscFwfO1peuGl0w.exe	Get hash	malicious	Browse	194.5.98.250
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	EFT payment.exe	Get hash	malicious	Browse	194.5.97.215
	Contract_Documents_pdf.exe	Get hash	malicious	Browse	194.5.98.203
	BANK DETAILS.jar	Get hash	malicious	Browse	194.5.97.87
	q19CDiK5TD.exe	Get hash	malicious	Browse	194.5.97.75

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5976804353698416
Encrypted:	false
SSDEEP:	6:btKVEk1GaD0JOCEfMuaaD0JOCEfMKQmDI0Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bYVrGaD0JcaaD0JwQQI0Ag/0bjSQJ
MD5:	C6A4D3B3B4EB755F99F9FD5B25FE88A9
SHA1:	343110136653D96FE8DFE258E50328777006AEC3
SHA-256:	7EDE1D0C07AD67C98AC68AD2D25206BC2CEC26F98D27AA0870170EA08BD63772
SHA-512:	D3F257F5229B0CCCA6740166296057F2D5E0E290AFB5C9D716EA6419BC39024937992357A5552AB7A44810AE0764B2452176559542AFECE7BB66946A55FC7927
Malicious:	false
Preview:	....E..h..(.....46...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................46...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x80031985, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09616301549185044
Encrypted:	false
SSDEEP:	12:x0+Y1O4blqXOlRxKT0+Y1O4blqXOlRxK:q13lz13l
MD5:	E47EA999514BEC2CADE05C8F05257AE6
SHA1:	E685169FA7CF7F06FFF70FEE34C5A713E6CEBC1D
SHA-256:	7B6F583B5D70FE9AB6B695120C8DD5B615521F5F4FA5548F1D23E8595AF972C9
SHA-512:	D5E6ECD730C784F36EB3588103BBFAD79DDCBF821D5C9BA3355DD08547F92DA504B735BC6DDC0538E47C12F9F89E63038E7CB4A34A597A973D18E28F08B2982C
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w..46...yG.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................5.46...y.{.................5..46...yG.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11086134938174995
Encrypted:	false
SSDEEP:	3:6TEvRriIMuXl/bJdAtiLzvpcHYll:PJMAt4Ir
MD5:	D749BF4712C102699C1918F5266DFED0
SHA1:	6B0B812FA4903EF76603641A5A3CE3FEF5B2D9CF
SHA-256:	445AFA51E5E9610960E9B93176744416754E1CCF495F8A8C6FDE3FC6BD9971E6
SHA-512:	B708677FD5F6EC5B329394F52DEB276FAD880F669CE6E7A0A52E7D29DA7A83056E57BBF58E2CB62B2B285A4C7763723BA43952706AE75FD6B9F482145CB7AD22
Malicious:	false
Preview:	.m.=.....................................3...w..46...yG......w...............w.......w....:O.....w...................5..46...yG.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_y3t4g48gj6_PAYME_ce53192e427e57e166223ab89fc2d2b1ddc61e_5e276ace_16bcfe61\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	15294
Entropy (8bit):	3.7744507720065053
Encrypted:	false
SSDEEP:	192:O5sUrmHBUZMXyaKKIKZDnyK/u7sjS274Itjb:UlSBUZMXyatyK/u7sjX4Itjb
MD5:	04B18104DC74E8A05B23CD669E5ADA60
SHA1:	6D30AAF091493A505269958BEF5D5ADDFA51D2C4
SHA-256:	BFEDFC3EC6F63C97FDB465DF9E9A32173937B26402D20570B26DDCC2CE2626BE
SHA-512:	D26968FC016564A690E8B3A08D3F8EB1C6B77A69ED3C1889C699E937ED74214639D2C01293F24412AA7AFF9C60CAFCD05D153BE39F56101165D2DB81259FC18A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.7.6.0.4.2.5.1.9.0.1.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.2.7.6.0.8.7.7.2.1.9.0.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.e.7.a.7.b.7.-.8.f.2.0.-.4.0.9.5.-.8.3.3.f.-.3.1.f.a.0.a.e.7.e.d.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.a.2.9.b.4.f.-.f.f.1.c.-.4.0.4.7.-.8.1.9.3.-.4.1.f.7.c.a.8.f.d.a.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.3.t.4.g.4.8.g.j.6._.P.A.Y.M.E.N.T...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.a.l.u.e.i.n.f.i.n.i.t.e.V.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.7.-.a.a.4.e.-.3.a.7.e.f.b.4.6.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.6.e.f.1.2.5.e.5.0.7.7.7.c.1.9.0.1.6.8.b.0.9.3.3.d.c.1.b.0.4.1.0.0.0.0.0.0.0.0.!.0.0.0.0.e.3.8.1.0.d.2.1.6.0.0.b.b.0.1.1.3.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER40BE.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 12 06:54:23 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	306847
Entropy (8bit):	3.8248011042062893
Encrypted:	false
SSDEEP:	3072:h59gIOgF5Rso4g0aUCgUJVKMj7VTsNqktVfrRT0ZN/jd+pROH2SDbUDYsck38i:h59RpDm9g5TjJYYBTRkrh0kpl9
MD5:	EF1B3D04FE6E9278638343B90563E41C
SHA1:	6A92CA503B4FB5A6BE57A69A14852F75766A3EF2
SHA-256:	508A49F23892320A01D50D2347C5553EA81F0C6ED774973687EB9F8A1F9C15B8
SHA-512:	1F457EEB4557F2B2FB569FFA317817A8E595EC79100EEBC7F14A9A94F84256D3C141FDE25B360C177A41ADCFF97DB10B46D32D716AB2D49ABEA869AE312F4353
Malicious:	false
Preview:	MDMP....... ........{.`...................U...........B.......&......GenuineIntelW...........T.......t..._{.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EDD.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8438
Entropy (8bit):	3.7020515446608675
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNizN6M6YJVSU3w/jgmfZGSVCprn89bnasfONm:RrlsNiZ6M6YLSU3w/jgmf0S1n5fl
MD5:	D7FD4D77AE4CBE9D546552DCCBEB0454
SHA1:	72920FA887BB0257854AACFA05DEBD1E90F90BA4
SHA-256:	E38CA4B5A8F4BFDAC566326B67463984602897DBEEA95C865373BCA6E1111B4B
SHA-512:	22AD5E0D45975E285F3797E0F5ED689271C6694DB9D645B9B9D2BD95DB3E3A1AE44F2324BCBED75F5D7D02D08A6EE5DF2AC8BACFB229B1733133F1ECE721B86B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC2C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	4.518003231098789
Encrypted:	false
SSDEEP:	48:cvIwSD8zsgJgtWI9cyWSC8BS8fm8M4JGFFt+q8vNz9gmibkJBBed:uITfmzTSN9JsKR9gsJBBed
MD5:	053F5DA168F81FB7A4F346AF2F12F765
SHA1:	D36D39E9B5F04BFEDE1A777C32DE750380C8FC7A
SHA-256:	FD185CEB967D561D88554F13718D3299F4413B6A8D754636445BBCAEBC433423
SHA-512:	C35BA475867E2729386C054B880A34260EC653C57160C08D35E671D9F046EF1FDC0AC61453FA718C6B4691AE9043641C96B6C8B2774A1419EE72402FFD1AF1BE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="985925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC68.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	56240
Entropy (8bit):	3.053476393071879
Encrypted:	false
SSDEEP:	1536:XVHD3jxKN5MjZcr046S5Aevd5bUOtI+szgq1v62:XVHD3jxKN5MjZcr046S5Aevd5bU6I+sh
MD5:	5678794ED4AFADA5549ABF616FFE781A
SHA1:	F597D79405CCF2838712E49E9ED0F47296A0D8A6
SHA-256:	20A9F3450026F33C6A14425DA64E813BE81FC675D576693645B80553F9CC377A
SHA-512:	5042ACEEF8FBDCB657E6F008AE4C44811942DEDCBCC63679875E84C9CBDCADD0F55734823DEB9E3C60AD170DD8588FBF465A95EF110F00E0B36F7E6185DB1E73
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB87F.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6969687742225354
Encrypted:	false
SSDEEP:	96:9GiZYWkJ4L1OaYFYwWpeHQYEZw2jt5iEzqYs17waqFaUvh0UdzI0v3:9jZDkCSF2Kr+aUvh0UO0v3
MD5:	BB8BBCD080A887F5B9E44281B318DB46
SHA1:	69AA6E5063EF1E3B86021EC996729AE3B2376C6F
SHA-256:	CF1FC5B4C3D7454352FD316293D1160565639466A3650A68CB49F058BF3016B2
SHA-512:	C0968E7C6D6ED008858112D28730B6605BCFB095D024E19D481EA904D7512348276DE727D4A1EED3B5619D786E5FE8D932CF2983E0A4E53952955B10E2251B94
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elauq3ki.ml0.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncewgnw3.qax.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w14rpytb.25y.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y12pedfd.ixi.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw1y3y53.hqg.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zah0ezrw.ehs.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Ej:Ej
MD5:	5B39604C071FE95CDDD4F140631DDBCE
SHA1:	A2DA2E4C41AAC375127C23BB5E1083C95AEE156F
SHA-256:	E369706507154D1A34DC1D0A38E6AC34893B774936299A86EAA3EC708DE156F6
SHA-512:	934910C1F63D039492899A562F49C140DD1CCA7852FB049C6AC79E3EB1B039CB680110AEB91CE1ED051DFD69C6BC43460D5F3D1E7D88A354FE8FE7C9AE6DD0C4
Malicious:	true
Preview:	(.R....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\Documents\20210511\PowerShell_transcript.878411.68FOB_yb.20210511235334.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5217
Entropy (8bit):	5.417695523418659
Encrypted:	false
SSDEEP:	96:BZJTLLNQ1qDo1Z72ZTTLLNQ1qDo1Zp8D+DEDjZGTLLNQ1qDo1ZgvD0D9:n
MD5:	CFB4E49471003BAA780AACF9AC7FFD87
SHA1:	D8B217E2716AF6E9661D7FFA87DB3EE0BD475549
SHA-256:	8963C4AAE1D6854EF7D7B0D1E71529A44B2514E8AF40BC1919B1EEE3C93FA04C
SHA-512:	482B86E1AD26B7198A4BFCADCACCF9301D0F6258C982AC304441BCAFE07FE6BF0F736787E44920143A6C941A11F19FECD68C0C6F54D45F8D8F3B32652A84C1B8
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210511235359..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..Process ID: 4668..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210511235400..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210512000222..Username: computer

C:\Users\user\Documents\20210511\PowerShell_transcript.878411.E9GVYDVQ.20210511235337.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.33741245385722
Encrypted:	false
SSDEEP:	48:BZMwvTLLoO+SWsXqDYB1Z6cW2ZYhvTLLoO+SWsXqDYB1ZA:BZMITLLNQyqDo1Z6J2ZATLLNQyqDo1ZA
MD5:	24B7153068B74F63D00506BD762CF0AF
SHA1:	F695E04DD31E7CCF7566E3F433A74E151E79AE32
SHA-256:	1BC99D330DB74DC6B97DC17D234CE3B318168E992DDC1096B597491B2D5C7D29
SHA-512:	AF36DF4F7BDF35A6C3F1CBF0F0E9472952A459C536B29EF1C14536E1213D5525641E56A5B9DD49EA1CF8F99B46970686DCE656494637AB7E797CCDD2BB8B8CAF
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210511235410..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..Process ID: 1912..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210511235412..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210511235525..Username: computer

C:\Users\user\Documents\20210511\PowerShell_transcript.878411.ZQ4X65kJ.20210511235337.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4309
Entropy (8bit):	5.442531877682068
Encrypted:	false
SSDEEP:	96:BZ5NTLLN+qDo1ZJZPTLLN+qDo1Zlc+0jZzTLLN+qDo1ZVe:lU
MD5:	8A5EA0648FDE1D231A3B3F62DFF232E0
SHA1:	09463333CC5CEA72630A6F59E4128B60822C2D53
SHA-256:	41D5A08E8E4022B1319554A9B6DB233E0FBBB187F7BB87C74D3DC69CC68421DF
SHA-512:	9F88C010951C5D619A97F310094086CC1252B2B2C39B87254ECCA40730BE208CAD81A73743055119F7EDA31FE2111CD07D9F201993DFD11415E50AD962089EB2
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210511235403..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe -Force..Process ID: 4896..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210511235404..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210512000244..Username: computer\user..Run

C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3867176
Entropy (8bit):	2.590642055759663
Encrypted:	false
SSDEEP:	24576:Bg2krlcNk1WgwmNHtf+Gqwqf/JOy0h1qMEIGCjx9h3CIf9rMRrdA7w1cYAnXs6M7:Bh
MD5:	9998F7E0C708BA1FA4B56235A9811C0F
SHA1:	E3810D21600BB0113B2D7116347326BEB6A35D83
SHA-256:	9F44F33F1B0B724292959B65AE6F2918CB1993641AD7832FFDBD68FC00FDDA2C
SHA-512:	69A0FEA89ADC2F259624E6ABA5CF20194A904E8656444DF6894785775F57DAEC33AB08903D5147152482D7CFAAFF91C30FA51965FE472EB1E91DF42B709432F2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 15%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%Y............"...0...:...........;.. ... ;...@.. .......................`;.....5S;...@...................................;.O.... ;...............:.(....@;...................................................... ............... ..H............text...4.:.. ....:................. ..`.rsrc........ ;.......:.............@..@.reloc.......@;.......:.............@..B..................;.....H.......`$..\|.:..........#...............................................&.(......".......".(.....Vs....(....t.........6.rK..p(.....".(......s...........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+....0...........~.....+....0............(.....+.+.........0..9.............r.:p+........(....(......(.......(......................%.. .o.........+L..........r..:p(........,.+*..o...........,.+...(.......~......o.........X..

C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.590642055759663
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	y3t4g48gj6_PAYMENT.exe
File size:	3867176
MD5:	9998f7e0c708ba1fa4b56235a9811c0f
SHA1:	e3810d21600bb0113b2d7116347326beb6a35d83
SHA256:	9f44f33f1b0b724292959b65ae6f2918cb1993641ad7832ffdbd68fc00fdda2c
SHA512:	69a0fea89adc2f259624e6aba5cf20194a904e8656444df6894785775f57daec33ab08903d5147152482d7cfaaff91c30fa51965fe472eb1e91df42b709432f2
SSDEEP:	24576:Bg2krlcNk1WgwmNHtf+Gqwqf/JOy0h1qMEIGCjx9h3CIf9rMRrdA7w1cYAnXs6M7:Bh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%Y............"...0...:...........;.. ... ;...@.. .......................`;.....5S;...@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x7b032e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xD9F65925 [Sat Nov 17 01:55:49 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=by64bc71k4HZ0Yw5C4bba6cc73Yfz0a, S=H9a5205c91ku3, L=5Jp25b35, T=NweE2NdNRd1J7Jb5wDdffe141z527c2ci41dgw3, E=4rhdU4t04, OU=484d0C6323bzd4c97q3, O=bR673KfoLs612894halpX4a4d0qGA2d583, CN=44Ql7muB5F53555J17d1o
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/11/2021 7:54:44 AM 5/11/2022 7:54:44 AM
Subject Chain	C=by64bc71k4HZ0Yw5C4bba6cc73Yfz0a, S=H9a5205c91ku3, L=5Jp25b35, T=NweE2NdNRd1J7Jb5wDdffe141z527c2ci41dgw3, E=4rhdU4t04, OU=484d0C6323bzd4c97q3, O=bR673KfoLs612894halpX4a4d0qGA2d583, CN=44Ql7muB5F53555J17d1o
Version:	3
Thumbprint MD5:	987431C54CFEF315C111B5AB521BCAC1
Thumbprint SHA-1:	DD65EBFE2F0AF6EC396DC73C4A037E87E321A06B
Thumbprint SHA-256:	93C6C15FCE022D65F38E693A5BADB285F2BE5AC5EC2BFC2707FBF16E192C6E96
Serial:	00BEABD3255E63776CE32FBB6B780B4783

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b02dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b2000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3aee00	0x1428	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3ae334	0x3ae400	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3b2000	0x5d8	0x600	False	0.421223958333	data	4.14589146106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b4000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3b20a0	0x34c	data
RT_MANIFEST	0x3b23ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	valueinfiniteVM.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	valueinfiniteVM
ProductVersion	1.0.0.0
FileDescription	valueinfiniteVM
OriginalFilename	valueinfiniteVM.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 23:54:01.991233110 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.134605885 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.135693073 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.315650940 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.478807926 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.480408907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.671775103 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.672080994 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.816175938 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.863444090 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.887123108 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.079195976 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126389980 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126424074 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126483917 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126511097 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126547098 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.126751900 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.269855022 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.269893885 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.269922018 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270036936 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270086050 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.270333052 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270370007 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.270394087 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270730972 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270766020 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.270853996 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.271909952 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.411948919 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.413635969 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.413660049 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.413749933 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.413784027 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.413881063 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414004087 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414113998 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414186954 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414292097 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414758921 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414782047 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414894104 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414992094 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415210009 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415313005 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415316105 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.415663004 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415685892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415707111 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.415882111 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415919065 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416126013 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.416162968 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416321039 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.416354895 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416470051 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.416507959 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416852951 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.559678078 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.559794903 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.559885979 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.560215950 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560280085 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560347080 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.560524940 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560698032 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560772896 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.560782909 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561068058 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561141014 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.561413050 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561588049 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561609030 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561693907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.561811924 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561887026 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562055111 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562211037 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562280893 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562416077 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562525988 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562608957 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562710047 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562809944 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562887907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562964916 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563091993 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563165903 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.563282967 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563446045 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563523054 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.563656092 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563893080 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564035892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564192057 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564239979 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.564415932 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564444065 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564467907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.564527988 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564568996 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.564652920 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564765930 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564933062 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564981937 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.565012932 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.703819990 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.703866959 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.703922033 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.703942060 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.703963041 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.703982115 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.703999996 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.704682112 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706317902 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706361055 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706378937 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706394911 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706423998 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706451893 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706465006 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706470013 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706504107 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706506014 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706533909 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706577063 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706649065 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706681013 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706715107 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706722021 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706749916 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706831932 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706851959 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706909895 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706949949 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.706968069 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.706998110 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.707957029 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.708502054 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.710467100 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710551977 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710594893 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710634947 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.710850000 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710876942 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710896969 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710915089 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710932970 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710949898 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.710962057 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710978985 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.710993052 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711004972 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711023092 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711039066 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711051941 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711057901 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711097956 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711110115 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711139917 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711173058 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711210012 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711241961 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711257935 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711289883 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711348057 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711380959 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711401939 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711441040 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711456060 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711520910 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711591959 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711618900 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711683035 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711703062 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711723089 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.711757898 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.711841106 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.847901106 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.847934961 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.847951889 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.848150015 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.848175049 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.848273039 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.848380089 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.848465919 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.848534107 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.849919081 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.849941969 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.850102901 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.850238085 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.850260973 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.850316048 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.850344896 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.850560904 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.850641966 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.850774050 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.851152897 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.851243973 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.851463079 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.851492882 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.851613045 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.851715088 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.851775885 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.851866007 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.852025032 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.852163076 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.852247000 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.852262974 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.852425098 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.852490902 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.853611946 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855099916 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855138063 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855312109 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855349064 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.855479956 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855513096 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.855650902 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855773926 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855827093 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.855861902 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.856043100 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856070042 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856076002 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.856240988 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856272936 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.856396914 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856460094 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856669903 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856702089 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.856786966 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.856817961 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.856914997 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857110977 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857224941 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857259035 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.857352972 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857395887 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.857526064 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857672930 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857876062 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.857916117 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.857996941 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.858030081 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.858163118 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.858220100 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.858383894 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.858421087 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.858474016 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.858522892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.858825922 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.860502958 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.991705894 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.991771936 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.991813898 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.991839886 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.992006063 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.992039919 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.992151976 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.992551088 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.993304014 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.993376970 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.993798971 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.993964911 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.994199038 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.994259119 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.994419098 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.994472980 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.994891882 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.995066881 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.997158051 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.998270035 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.999088049 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.999114037 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.000341892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.000675917 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.000725031 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.000942945 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.001514912 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.001554012 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.001684904 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.001708984 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.002032995 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.002082109 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.002104998 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.002454996 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.002547026 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.002571106 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.002706051 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.003551960 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.003588915 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.003638983 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.003664970 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.003676891 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.003777027 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.003813028 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.003911018 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.003948927 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.004144907 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.004780054 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.005024910 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.005054951 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.005173922 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.005351067 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.005440950 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.005517006 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.005539894 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.006252050 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.006294012 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.006319046 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.006428003 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.006438017 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.006439924 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008382082 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008419991 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008460999 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008486986 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008522034 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008539915 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.008548975 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008580923 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.008598089 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008625031 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008651018 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008678913 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.008688927 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.008713961 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.052546024 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.149265051 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.149513006 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.150522947 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.150610924 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.151268959 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.151873112 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.151900053 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.151936054 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.151940107 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.151973009 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.152096033 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.152158022 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.152368069 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.152407885 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.152520895 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.152561903 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.152610064 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.152786970 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.152892113 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.153119087 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.153148890 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.153311968 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.153351068 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.153400898 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.153472900 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.153773069 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.153868914 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.154031992 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.154087067 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.154314041 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.154359102 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.154520035 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.154639006 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.154829979 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.154879093 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.155097961 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.155148983 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.155217886 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.155353069 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.155446053 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.155591011 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.155709982 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.155833006 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.155955076 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.156071901 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.156078100 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.156272888 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.156419039 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.156457901 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.156716108 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.156827927 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.156863928 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.157075882 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.157188892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.157349110 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.157401085 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.157517910 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.157577038 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.157661915 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.157877922 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.158124924 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.158173084 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.158282042 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.158322096 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.158436060 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.158926964 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.158972979 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.158988953 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159159899 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159209967 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159250975 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.159509897 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159518003 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.159531116 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159637928 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159678936 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.159778118 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.159940958 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.160202026 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.160243034 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.160346031 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.160382032 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.160609961 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.161000013 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.161118984 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.161159992 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.161453009 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.161490917 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.161494017 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.161659956 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.161741018 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.161840916 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.162204027 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.162261963 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:04.162301064 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.163306952 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:04.705440998 CEST	49735	8090	192.168.2.6	194.5.97.75

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 23:53:12.693845987 CEST	53	64267	8.8.8.8	192.168.2.6
May 11, 2021 23:53:13.288600922 CEST	49448	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:13.337548971 CEST	53	49448	8.8.8.8	192.168.2.6
May 11, 2021 23:53:13.768048048 CEST	60342	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:13.826888084 CEST	53	60342	8.8.8.8	192.168.2.6
May 11, 2021 23:53:14.419569016 CEST	61346	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:14.468420982 CEST	53	61346	8.8.8.8	192.168.2.6
May 11, 2021 23:53:15.593247890 CEST	51774	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:15.641983986 CEST	53	51774	8.8.8.8	192.168.2.6
May 11, 2021 23:53:16.709300995 CEST	56023	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:16.760977030 CEST	53	56023	8.8.8.8	192.168.2.6
May 11, 2021 23:53:18.120974064 CEST	58384	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:18.178188086 CEST	53	58384	8.8.8.8	192.168.2.6
May 11, 2021 23:53:19.353452921 CEST	60261	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:19.410451889 CEST	53	60261	8.8.8.8	192.168.2.6
May 11, 2021 23:53:20.766933918 CEST	56061	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:20.821878910 CEST	53	56061	8.8.8.8	192.168.2.6
May 11, 2021 23:53:22.508728981 CEST	58336	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:22.566011906 CEST	53	58336	8.8.8.8	192.168.2.6
May 11, 2021 23:53:23.694828987 CEST	53781	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:23.744986057 CEST	53	53781	8.8.8.8	192.168.2.6
May 11, 2021 23:53:25.092776060 CEST	54064	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:25.144562006 CEST	53	54064	8.8.8.8	192.168.2.6
May 11, 2021 23:53:26.295615911 CEST	52811	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:26.344513893 CEST	53	52811	8.8.8.8	192.168.2.6
May 11, 2021 23:53:27.467045069 CEST	55299	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:27.524247885 CEST	53	55299	8.8.8.8	192.168.2.6
May 11, 2021 23:53:28.619930983 CEST	63745	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:28.668901920 CEST	53	63745	8.8.8.8	192.168.2.6
May 11, 2021 23:53:29.828959942 CEST	50055	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:29.880475044 CEST	53	50055	8.8.8.8	192.168.2.6
May 11, 2021 23:53:30.955908060 CEST	61374	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:31.015707016 CEST	53	61374	8.8.8.8	192.168.2.6
May 11, 2021 23:53:32.130070925 CEST	50339	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:32.190007925 CEST	53	50339	8.8.8.8	192.168.2.6
May 11, 2021 23:53:35.031847954 CEST	63307	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:35.083312035 CEST	53	63307	8.8.8.8	192.168.2.6
May 11, 2021 23:53:38.200325966 CEST	49694	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:38.248883963 CEST	53	49694	8.8.8.8	192.168.2.6
May 11, 2021 23:53:47.785288095 CEST	54982	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:47.842583895 CEST	53	54982	8.8.8.8	192.168.2.6
May 11, 2021 23:53:52.343401909 CEST	50010	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:52.402043104 CEST	53	50010	8.8.8.8	192.168.2.6
May 11, 2021 23:54:01.630276918 CEST	63718	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:01.852056026 CEST	53	63718	8.8.8.8	192.168.2.6
May 11, 2021 23:54:08.121082067 CEST	62116	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:08.183593035 CEST	53	62116	8.8.8.8	192.168.2.6
May 11, 2021 23:54:09.129223108 CEST	63816	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:09.188091040 CEST	53	63816	8.8.8.8	192.168.2.6
May 11, 2021 23:54:15.967436075 CEST	55014	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:16.193136930 CEST	53	55014	8.8.8.8	192.168.2.6
May 11, 2021 23:54:20.714508057 CEST	62208	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:20.841531992 CEST	53	62208	8.8.8.8	192.168.2.6
May 11, 2021 23:54:21.201359987 CEST	57574	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:21.258441925 CEST	53	57574	8.8.8.8	192.168.2.6
May 11, 2021 23:54:22.554590940 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:22.611522913 CEST	53	51818	8.8.8.8	192.168.2.6
May 11, 2021 23:54:23.394865990 CEST	56628	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:23.454391003 CEST	53	56628	8.8.8.8	192.168.2.6
May 11, 2021 23:54:24.354697943 CEST	60778	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:24.413964987 CEST	53	60778	8.8.8.8	192.168.2.6
May 11, 2021 23:54:26.336348057 CEST	53799	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:26.441319942 CEST	53	53799	8.8.8.8	192.168.2.6
May 11, 2021 23:54:27.199091911 CEST	54683	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:27.257597923 CEST	53	54683	8.8.8.8	192.168.2.6
May 11, 2021 23:54:27.711756945 CEST	59329	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:27.769222021 CEST	53	59329	8.8.8.8	192.168.2.6
May 11, 2021 23:54:31.061930895 CEST	64021	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:31.122121096 CEST	53	64021	8.8.8.8	192.168.2.6
May 11, 2021 23:54:33.969976902 CEST	56129	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:34.032226086 CEST	53	56129	8.8.8.8	192.168.2.6
May 11, 2021 23:54:38.607516050 CEST	58177	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:38.667622089 CEST	53	58177	8.8.8.8	192.168.2.6
May 11, 2021 23:54:40.595410109 CEST	50700	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:40.644227028 CEST	53	50700	8.8.8.8	192.168.2.6
May 11, 2021 23:54:42.386462927 CEST	54069	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:42.443860054 CEST	53	54069	8.8.8.8	192.168.2.6
May 11, 2021 23:54:49.005872965 CEST	61178	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:49.086483955 CEST	53	61178	8.8.8.8	192.168.2.6
May 11, 2021 23:54:50.037343979 CEST	57017	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:50.087301970 CEST	53	57017	8.8.8.8	192.168.2.6
May 11, 2021 23:54:53.723217964 CEST	56327	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:53.783620119 CEST	53	56327	8.8.8.8	192.168.2.6
May 11, 2021 23:54:54.585988998 CEST	50243	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:54.654728889 CEST	53	50243	8.8.8.8	192.168.2.6
May 11, 2021 23:54:55.628778934 CEST	62055	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:55.687485933 CEST	53	62055	8.8.8.8	192.168.2.6
May 11, 2021 23:55:48.602257967 CEST	61249	53	192.168.2.6	8.8.8.8
May 11, 2021 23:55:48.659320116 CEST	53	61249	8.8.8.8	192.168.2.6
May 11, 2021 23:55:48.808475018 CEST	65252	53	192.168.2.6	8.8.8.8
May 11, 2021 23:55:48.865681887 CEST	53	65252	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2021 23:54:01.630276918 CEST	192.168.2.6	8.8.8.8	0xc28b	Standard query (0)	omaprilcode.duckdns.org	A (IP address)	IN (0x0001)
May 11, 2021 23:54:15.967436075 CEST	192.168.2.6	8.8.8.8	0x2bd2	Standard query (0)	omaprilcode.duckdns.org	A (IP address)	IN (0x0001)
May 11, 2021 23:54:23.394865990 CEST	192.168.2.6	8.8.8.8	0x3fa7	Standard query (0)	omaprilcode.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 11, 2021 23:54:01.852056026 CEST	8.8.8.8	192.168.2.6	0xc28b	No error (0)	omaprilcode.duckdns.org		194.5.97.75	A (IP address)	IN (0x0001)
May 11, 2021 23:54:16.193136930 CEST	8.8.8.8	192.168.2.6	0x2bd2	No error (0)	omaprilcode.duckdns.org		194.5.97.75	A (IP address)	IN (0x0001)
May 11, 2021 23:54:23.454391003 CEST	8.8.8.8	192.168.2.6	0x3fa7	No error (0)	omaprilcode.duckdns.org		194.5.97.75	A (IP address)	IN (0x0001)
May 11, 2021 23:54:49.086483955 CEST	8.8.8.8	192.168.2.6	0x7418	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 7028 Parent PID: 5908

General

Start time:	23:53:20
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe'
Imagebase:	0xfc0000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 7128 Parent PID: 560

General

Start time:	23:53:23
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4668 Parent PID: 7028

General

Start time:	23:53:31
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4104 Parent PID: 4668

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4896 Parent PID: 7028

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4524 Parent PID: 4896

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 1912 Parent PID: 7028

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6408 Parent PID: 1912

General

Start time:	23:53:33
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6336 Parent PID: 7028

General

Start time:	23:53:38
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6356 Parent PID: 6336

General

Start time:	23:53:38
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 4752 Parent PID: 6336

General

Start time:	23:53:38
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xa90000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 6644 Parent PID: 7028

General

Start time:	23:53:44
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Imagebase:	0x240000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 6868 Parent PID: 7028

General

Start time:	23:53:47
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Imagebase:	0xa50000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 7088 Parent PID: 560

General

Start time:	23:53:48
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6824 Parent PID: 3440

General

Start time:	23:53:49
Start date:	11/05/2021
Path:	C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Imagebase:	0x70000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 15%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4696 Parent PID: 560

General

Start time:	23:53:52
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6396 Parent PID: 4696

General

Start time:	23:53:52
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Imagebase:	0x1360000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5760 Parent PID: 7028

General

Start time:	23:53:55
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780
Imagebase:	0x1360000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: svchost.exe PID: 5980 Parent PID: 3440

General

Start time:	23:53:58
Start date:	11/05/2021
Path:	C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Imagebase:	0xc10000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: svchost.exe PID: 6160 Parent PID: 560

General

Start time:	23:54:03
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5280 Parent PID: 560

General

Start time:	23:54:18
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2032 Parent PID: 560

General

Start time:	23:54:51
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 7028 Parent PID: 5908 y3t4g48gj6_PAYMENT.exeCOMMON

Executed Functions

Function 036BF5A8, Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71595aa25e5810357e21a4221faa67e482b714a8e8e118ff693bdd123e67161
Instruction ID: 23ab8d39db3ba8d0b2037ea1a0bb407a9d321778c69553f3e27969146340730a
Opcode Fuzzy Hash: f71595aa25e5810357e21a4221faa67e482b714a8e8e118ff693bdd123e67161
Instruction Fuzzy Hash: 07328F70A002199FCB14DF64C954AAEBBB6BF89344F158069E909DF3A5DB74DC82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01D38908, Relevance: 14.3, Strings: 9, Instructions: 3077COMMON

Download Yara Rule

Strings

tpk, xrefs: 01D3B656
pk, xrefs: 01D3B1B4
Hpk, xrefs: 01D3B528
,pk, xrefs: 01D3B779
(pk, xrefs: 01D3B3A4
lpk, xrefs: 01D3B343
pk, xrefs: 01D3B4C7
I5PI5, xrefs: 01D3893A, 01D3BE19
Xpk, xrefs: 01D3B030

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: I5PI5$ pk$(pk$,pk$Hpk$Xpk$lpk$tpk$pk
API String ID: 0-3348108219
Opcode ID: 406a4f9458f51da24f58f2bb6dc22ad5b976350cb48c927b41b80519566a88d3
Instruction ID: f6edcf68a73dcc26e774755afda9ed0606edcba5b938d73e426a5dffe275096b
Opcode Fuzzy Hash: 406a4f9458f51da24f58f2bb6dc22ad5b976350cb48c927b41b80519566a88d3
Instruction Fuzzy Hash: 0C536A71A0025CAFDB259BA0CC51BAEB776FB48340F104099E6097A3D8DF721A99DF19

Uniqueness

Uniqueness Score: -1.00%

Function 01D388F8, Relevance: 14.3, Strings: 9, Instructions: 3038COMMON

Download Yara Rule

Strings

tpk, xrefs: 01D3B656
pk, xrefs: 01D3B1B4
Hpk, xrefs: 01D3B528
,pk, xrefs: 01D3B779
(pk, xrefs: 01D3B3A4
lpk, xrefs: 01D3B343
pk, xrefs: 01D3B4C7
I5PI5, xrefs: 01D3893A
Xpk, xrefs: 01D3B030

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: I5PI5$ pk$(pk$,pk$Hpk$Xpk$lpk$tpk$pk
API String ID: 0-3348108219
Opcode ID: dc1fc9d06f913dc624969f1d8001cf007cce4c53ccc004fb619c5359cd8a90cd
Instruction ID: 978175a1858196d0ae42a37109b73b388c2abee949d3c819c3992c3173a32652
Opcode Fuzzy Hash: dc1fc9d06f913dc624969f1d8001cf007cce4c53ccc004fb619c5359cd8a90cd
Instruction Fuzzy Hash: AC536A71A0025CAFDB259BA0CC51BAEB776FB48340F104099E7097A3D8DF721A99DF19

Uniqueness

Uniqueness Score: -1.00%

Function 01D3D178, Relevance: 3.1, Strings: 2, Instructions: 589COMMON

Download Yara Rule

Strings

c, xrefs: 01D3D667
I5PI5, xrefs: 01D3D516, 01D3D52A

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: I5PI5$c
API String ID: 0-305865033
Opcode ID: c5595040d4cc9a594b3b4277a8fa8ac2e4a7db822010f09c414f863e5639d79f
Instruction ID: 5625434346dde26d222095b100f0c73fa37e92c13cd28fa1d08e692266c42716
Opcode Fuzzy Hash: c5595040d4cc9a594b3b4277a8fa8ac2e4a7db822010f09c414f863e5639d79f
Instruction Fuzzy Hash: 10326434704A448FCB15DF69C488A6EBBF2FF89204B5584A9E546CB366DB34EC45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3D176, Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

c, xrefs: 01D3D667
I5PI5, xrefs: 01D3D516, 01D3D52A

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: I5PI5$c
API String ID: 0-305865033
Opcode ID: 8e164f3fe0ecc0ee01c10ddbf4f70a9cf9ea310f3e32af0cadc196f3b4896e33
Instruction ID: 74bf24dce95be9258e8cdb60b08f2229ce4d65840a7a8d958e5d3266160cab5d
Opcode Fuzzy Hash: 8e164f3fe0ecc0ee01c10ddbf4f70a9cf9ea310f3e32af0cadc196f3b4896e33
Instruction Fuzzy Hash: BAB12434B006058FCB14DF69C498AAEBBF6BF89204B1584A9E546DB375DB34EC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01D32FC0, Relevance: 2.6, Strings: 1, Instructions: 1386COMMON

Download Yara Rule

Strings

4, xrefs: 01D33AE2

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-2942238612
Opcode ID: 4a15b6b626139a78ad097773426ac44fb26ccb818396687ce350a8d240d0c6aa
Instruction ID: 771506b02abb42e623d0e4e332618e89334eb8ced7c71c54d318a96bdaf39d90
Opcode Fuzzy Hash: 4a15b6b626139a78ad097773426ac44fb26ccb818396687ce350a8d240d0c6aa
Instruction Fuzzy Hash: 33E2EC34A002999FDB25EF60DC61BAEB772FB84340F104098DA0A2B798EF351E95DF55

Uniqueness

Uniqueness Score: -1.00%

Function 01D32F5D, Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

k^, xrefs: 01D32F7A
k^, xrefs: 01D32F8A

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: k^$k^
API String ID: 0-1392760266
Opcode ID: 6f4ca049689cb34b72ed95dee86de3d489f317c7d39104363d998ab592b80232
Instruction ID: e56ea381f8e1d3a66b4765a86267711f622c1fb5cbea49937abc3df0675762ac
Opcode Fuzzy Hash: 6f4ca049689cb34b72ed95dee86de3d489f317c7d39104363d998ab592b80232
Instruction Fuzzy Hash: B931F1306053818FC7139F79C9D059A7BE5FF863A0B0A81AAC444CF162EA389C478BA5

Uniqueness

Uniqueness Score: -1.00%

Function 01D3C818, Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

@ vl, xrefs: 01D3CB70

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: @ vl
API String ID: 0-3212587714
Opcode ID: 3d20f0f723e2ca40f383babe20c80ddb06c0323cf7df859940e5131440c8d08e
Instruction ID: 13dd91aa9d4efbc979da8c9a030fc589a6a4785bb8f744fcbe06e8cd4d35b967
Opcode Fuzzy Hash: 3d20f0f723e2ca40f383babe20c80ddb06c0323cf7df859940e5131440c8d08e
Instruction Fuzzy Hash: 4A025C34B102058FCB14DF69C4949AEBBF2BF8D714B15816AE906EB365DB31DC06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D36AF8, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

d, xrefs: 01D36C44

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a1207c58ff2d0b484a543b8cd75d9b937fc9f4471dfe72c9971bc65e475255e5
Instruction ID: 317a198ce5d759cc205df2da601fd1f73ef38ca4ce8e43dc25217f19054ef309
Opcode Fuzzy Hash: a1207c58ff2d0b484a543b8cd75d9b937fc9f4471dfe72c9971bc65e475255e5
Instruction Fuzzy Hash: 62716874A00A06AFCB15CF59C0C08AAFBF6FF88350755C569C9199B629EB30F951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3CB28, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

@ vl, xrefs: 01D3CB70

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: @ vl
API String ID: 0-3212587714
Opcode ID: 9a998c2a75973688d4b3a11ae236237d99b6ea61246f9da5967d04658bd05381
Instruction ID: e45db29d8a15225b9cd46b4226e883980e08f536b9996d89e061d9785c0aa73e
Opcode Fuzzy Hash: 9a998c2a75973688d4b3a11ae236237d99b6ea61246f9da5967d04658bd05381
Instruction Fuzzy Hash: 64511734B102048FDB54DF79C498AADBBF2BF89644B1584A9E906EB365DB71EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01D35455, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

pFvl, xrefs: 01D35490

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: pFvl
API String ID: 0-51215857
Opcode ID: 835de2742781cddbdda2a3b4f3a003bcaf609a5dc3682b1d1724b71e29c2b965
Instruction ID: 221158a90ddc835c9b6322074123f319496b8721da5f9c960cb490babc92f737
Opcode Fuzzy Hash: 835de2742781cddbdda2a3b4f3a003bcaf609a5dc3682b1d1724b71e29c2b965
Instruction Fuzzy Hash: 9A519E31204381AFD352EB34D450A5EB7A2BF81394F458D6DC18AAF669DB74A908CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01D35488, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

pFvl, xrefs: 01D35490

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: pFvl
API String ID: 0-51215857
Opcode ID: aeeb9c4f2f36bb1a504a860f3dacfa040a5a2656c707d15705b0e6936c05b546
Instruction ID: d2d177a390441e79d0756f459768bf9ff9c863d9a6397d23ceb1d24e7c083760
Opcode Fuzzy Hash: aeeb9c4f2f36bb1a504a860f3dacfa040a5a2656c707d15705b0e6936c05b546
Instruction Fuzzy Hash: 20416C31204745AFD396EF35D440A4EB7A2FFC1394F81CD1CC14AAB669EB74B9088B95

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E8AD, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

vl, xrefs: 01D3E8D8

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: vl
API String ID: 0-779334805
Opcode ID: e691970b06a2bb3fcc32e66d5fa6fdc9b1797170bbb1491ef3831ae4950f762e
Instruction ID: 274ba94a414a18c54f4d4bc11a725d46cd80808822ca63bc8fea7209acacf019
Opcode Fuzzy Hash: e691970b06a2bb3fcc32e66d5fa6fdc9b1797170bbb1491ef3831ae4950f762e
Instruction Fuzzy Hash: ED417A35F042098FCB50DFA9D4809DDBBF1EF88254B1585AAD959EB352DB30EC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D31695, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

vl, xrefs: 01D316FB

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: vl
API String ID: 0-779334805
Opcode ID: 76fad0412404ad48c2b9d56300d93353934c08501f2d309794c04b60af355297
Instruction ID: 1ddf9f0811e3cf4501ccc68529d7bb2226ec8b3756a6067759548766b88d2076
Opcode Fuzzy Hash: 76fad0412404ad48c2b9d56300d93353934c08501f2d309794c04b60af355297
Instruction Fuzzy Hash: 1F1156303083848FCB12DF39D8606DE77A2AFC5398F05483AD089DB6A6DF389C098765

Uniqueness

Uniqueness Score: -1.00%

Function 01D3EC90, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

PI5, xrefs: 01D3ECAA

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: PI5
API String ID: 0-1324293347
Opcode ID: 028c1eb79270f7c5fd8af8b2c55269d0a4c0e14d59240666d76f769a9c3045eb
Instruction ID: 98f19ab50df592d6d39d3c95f7c54aeaaab1e88f6139814e552dde5d1704b494
Opcode Fuzzy Hash: 028c1eb79270f7c5fd8af8b2c55269d0a4c0e14d59240666d76f769a9c3045eb
Instruction Fuzzy Hash: 831121313083409FC720CB6CE844F5AB7F4FB86350F05856AE254CB2E2D7A5E806C790

Uniqueness

Uniqueness Score: -1.00%

Function 01D316C0, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

vl, xrefs: 01D316FB

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: vl
API String ID: 0-779334805
Opcode ID: 7f5ef9b418a107bbaeaf902d07ff0c3c236d8a63cf1d6f196e9296f59c159c98
Instruction ID: eb2fb77ef0b0975d84d5444a9512dccc25b9885f8df4d4799bd2ecf3ce0f272e
Opcode Fuzzy Hash: 7f5ef9b418a107bbaeaf902d07ff0c3c236d8a63cf1d6f196e9296f59c159c98
Instruction Fuzzy Hash: 1D1125703042098BCB11EF3AD44069EB39BFFC8298F048438D58A9B798DF74DC0587A5

Uniqueness

Uniqueness Score: -1.00%

Function 01D3EC80, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

PI5, xrefs: 01D3ECAA

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID: PI5
API String ID: 0-1324293347
Opcode ID: 6458e7c831532ab990988b4a09d0d03c5139ae6ffb9a864fe778b6d02f75e80c
Instruction ID: 9853e9693689bcf7c32c2db49078b891ce4d262af66929a06809e88122aa1c29
Opcode Fuzzy Hash: 6458e7c831532ab990988b4a09d0d03c5139ae6ffb9a864fe778b6d02f75e80c
Instruction Fuzzy Hash: 45F0CD313083418FD7218A28E809B8AB7E5AB85721F05866AF245CB1E1E3B1EC41C750

Uniqueness

Uniqueness Score: -1.00%

Function 036BEB20, Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4143cc12b703eb3ed16e39fb37eb95b0f0dc271d5d42c8e61338b039479b6d45
Instruction ID: 1d2b95b15437c6a40b5a1812b96c437390ff610426f8760b8e1ac0e1ca2988ec
Opcode Fuzzy Hash: 4143cc12b703eb3ed16e39fb37eb95b0f0dc271d5d42c8e61338b039479b6d45
Instruction Fuzzy Hash: C3E1DE307042149FDB15DB74D858BAE7BB6AB88354F088468E90ADF394DF75DC82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D37AE0, Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feda73f400999d3240be5e78a7a1d69aa65b56d44d2d06d1bd34720313a66b8c
Instruction ID: 414904f377310200f9d5daad3afc7d499081e6cc7ae1f6335b9c16b9980a4cb4
Opcode Fuzzy Hash: feda73f400999d3240be5e78a7a1d69aa65b56d44d2d06d1bd34720313a66b8c
Instruction Fuzzy Hash: 59D117726046218FC716EB74D4404ADB7F1FFC5390B0689AAC90AEB359EB34ED05C791

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E280, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37cf085eef4e9701df7145ed020e74d6066162ffd8c8481e5cfd1a44108fb54
Instruction ID: 5857698e3bcd3b82a1edf52fef24ec3a0bcdc5a124eaae2673d21c10fc4b6b25
Opcode Fuzzy Hash: b37cf085eef4e9701df7145ed020e74d6066162ffd8c8481e5cfd1a44108fb54
Instruction Fuzzy Hash: 60D14A356006058FC715CF19C48096AB7F2FF88314B1ACA69D55A9B7A6EB30FC46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01D36730, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0e7dd4ee629ebacf0a6da50c5cc59dc1c0d5fa719f375859b60a58b99bc00e
Instruction ID: 6905865a80d45197f827d723b583e94db8be606e2293dd27ac7f157b0d8badee
Opcode Fuzzy Hash: df0e7dd4ee629ebacf0a6da50c5cc59dc1c0d5fa719f375859b60a58b99bc00e
Instruction Fuzzy Hash: EAA1F770B082859F9F659779841057E3AD2AFC9504B168079C256CF7A5FF34CE0787A3

Uniqueness

Uniqueness Score: -1.00%

Function 01D30848, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b444399d2cb1920fb6bf1d143de12501cf9338d8799084416f67480d625e94
Instruction ID: 62665c6e56eb64482cbdb86226b855e74891a0729205dbaa31cf21c57ac402ef
Opcode Fuzzy Hash: 20b444399d2cb1920fb6bf1d143de12501cf9338d8799084416f67480d625e94
Instruction Fuzzy Hash: 29B17F35A002499FCF05DFA9C850AAEBBB7FB88304F1180A9D905AB358DF349D56CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01D32855, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1138f4c05c5a973bc808dd4032a1c70004361efafcdacc11595cdab15da7d2
Instruction ID: 749a602c8494cdf83922097915004de13a561e2b0d3f7760f2f0fba571e481d9
Opcode Fuzzy Hash: 5d1138f4c05c5a973bc808dd4032a1c70004361efafcdacc11595cdab15da7d2
Instruction Fuzzy Hash: 0FA135346043468FCB55DF34C48489EBBB2FF892547158A98E54ADB37AEB30ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3CF10, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38027231a234cb698de7ec4f4679e1e26693f0f37e82148987560fa4103ef21d
Instruction ID: f6060aa4c9e5e87cadbcd68bfdc26d75e14cc40b131a8616cd711c5182adcd51
Opcode Fuzzy Hash: 38027231a234cb698de7ec4f4679e1e26693f0f37e82148987560fa4103ef21d
Instruction Fuzzy Hash: A1716C317046108FC718AF79C898A29BBF6EFC965471681AEE106CB3B1DB75DC42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01D32870, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbb5bddedcf5d94695c85e513c8644402016d0e2186668c1f57c80c9cd6700d
Instruction ID: a6852c0cb2cdcaef73f1af1399d5e9a29fe73e15570a8fd9169fbd3efc2f2d26
Opcode Fuzzy Hash: 5fbb5bddedcf5d94695c85e513c8644402016d0e2186668c1f57c80c9cd6700d
Instruction Fuzzy Hash: 35A124346003469FCB55EF34C48485EB7B2FF89254B158A98E54ADB37ADB30ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D37C98, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d3afc90d47c8a6dbfd0a8860d919fba1458a2fbfa0a0669239ad01751d468d
Instruction ID: a4a4b99d5e0e5346cf7a76bd187537f39ecaadcf807ce4e84ae5da779015e192
Opcode Fuzzy Hash: d2d3afc90d47c8a6dbfd0a8860d919fba1458a2fbfa0a0669239ad01751d468d
Instruction Fuzzy Hash: 727195726042268FC702EB70D4544ACB7B2FFD0290B468A59D906FF359FB30AE05C795

Uniqueness

Uniqueness Score: -1.00%

Function 01D3D9C0, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3999a97ca133523e1361dc583e7b802811db828213697634bcd37e02f4466ca
Instruction ID: 7b289f67e5bbead0008dfaf611fc38c343fdf11d927bda4409d4b73603af34f8
Opcode Fuzzy Hash: b3999a97ca133523e1361dc583e7b802811db828213697634bcd37e02f4466ca
Instruction Fuzzy Hash: DA817F75B006198FCB15DFA8C4849AEBBF6FF89250B5584AAE905DB361D730ED01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D34C50, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29d4b0ac2e5e0ed98cead24b0d99843d3fa0b22411d5c572832221c3d54bd3e
Instruction ID: 39da471df057a0e72d12c76e499678648a7a2d6de4749d852d449b07de9ce582
Opcode Fuzzy Hash: d29d4b0ac2e5e0ed98cead24b0d99843d3fa0b22411d5c572832221c3d54bd3e
Instruction Fuzzy Hash: DA61BF31A0425A9FCB10DF68D8809AEF7F6FF84354B15CA59D509AB219DB31BD06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3C809, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e36aef0d878badb8574d2ca6c8c3c20987b3c8bbe7ea2cd17e1dade6db2ebf
Instruction ID: 53002477ba04d951fc4b3bac12ce967285617471745ff7adffbe52e03e484498
Opcode Fuzzy Hash: c0e36aef0d878badb8574d2ca6c8c3c20987b3c8bbe7ea2cd17e1dade6db2ebf
Instruction Fuzzy Hash: 16611C30B102158FDB14DF69C454AAEBBF6BF8C640B16816AD945FB365EB31DD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DFA8, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be731d1c6d60a2661c54d7715e1b57a04534a80c44ae336ebe4071d163866249
Instruction ID: c8f2166a5bd3dd46a326d8afe6be28426df118795f9a83a5c526380597281fa6
Opcode Fuzzy Hash: be731d1c6d60a2661c54d7715e1b57a04534a80c44ae336ebe4071d163866249
Instruction Fuzzy Hash: 8B51CD366006168FC711CF59D48089AFBF2FF89350B16C6AAE559DB366D730EC19CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D304D0, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c219cec11b53899ffa21baa5288cdb646f9acaa27b1cda5232c362d86d36b16
Instruction ID: 56691777ce03a34f8988739803a054b6536f2a1ef34764981935c67b8d321a51
Opcode Fuzzy Hash: 7c219cec11b53899ffa21baa5288cdb646f9acaa27b1cda5232c362d86d36b16
Instruction Fuzzy Hash: 3851BE35B042009FCB04DB79C854A6AB7F7FBC8710F258068E806AB399DF75DD468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E6C8, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db05b0e21728e36b7c3affc87b21f50cfa069bbd4b9c3e6057713c01dadb495d
Instruction ID: 01cbe1ac30edb1d5a847c4d4036e6ad10abbbadc1830b6b32bdba9acee893ac7
Opcode Fuzzy Hash: db05b0e21728e36b7c3affc87b21f50cfa069bbd4b9c3e6057713c01dadb495d
Instruction Fuzzy Hash: 61514B34B042448FC718DB29C09492A77E2AFC931476684ADE14ACF3B6DF35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01D36455, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe95c55cf0b396d404122e92741ebc8b392b837b636d4fab0b8eb4df0b95c5f9
Instruction ID: fd7da3782d6809acefd480f5635659a0c13f9b10238c59247a837aa6d3858c14
Opcode Fuzzy Hash: fe95c55cf0b396d404122e92741ebc8b392b837b636d4fab0b8eb4df0b95c5f9
Instruction Fuzzy Hash: 68517D312043518FC366EB30D454A5EB7E3FFC5284B058A2DD54ADB799EB35A806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D30C32, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b4f3816f715c3c21e635579b0a369ca890809c1adbbc028242f30a8518bc84
Instruction ID: c5429a5b20b5b61b871d5b4ffb382342cf27d2f0a8b32f3468f59d3bd253dfac
Opcode Fuzzy Hash: b0b4f3816f715c3c21e635579b0a369ca890809c1adbbc028242f30a8518bc84
Instruction Fuzzy Hash: 5341B1716002589FCB44EF68D814A6EB7E6FFC4344B05C569D50DAF368DF719D0A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 01D3FCE0, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a21d54ca7783d7e90f952cf9402e187cc699bf5187e4fd7109e6240db2e89f1
Instruction ID: 4f219bfa8fee99f9ec5cd30ea5d8c9c3e14b8471303c3afe1956ab90afd0240f
Opcode Fuzzy Hash: 7a21d54ca7783d7e90f952cf9402e187cc699bf5187e4fd7109e6240db2e89f1
Instruction Fuzzy Hash: 69419035A087488FD7318B29D18C76677E1BB88718F048D6DD4D683BA2D7B4F888C762

Uniqueness

Uniqueness Score: -1.00%

Function 01D3BFF1, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d88d21dc2c482aec26eb09e641820eef8bdaa9f6e5d22fa3f8b664e4706548
Instruction ID: 8a36e80ea402d748759556686102abd32fd8d911b42e9309c09daee1337ca89c
Opcode Fuzzy Hash: 90d88d21dc2c482aec26eb09e641820eef8bdaa9f6e5d22fa3f8b664e4706548
Instruction Fuzzy Hash: CE418B35A006098FDB11DF68C48096AF7F2FFC9314B1AC66AD569AB315DB31EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D36478, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8c5435e1b50c8453757a88d65cd1571d093ef8b85b18f01bdaeedab317679a
Instruction ID: 06135a2bfa00a52409a2f3c6caf48763dbc6e6e47c5eecdba4ef695455d942d5
Opcode Fuzzy Hash: 9e8c5435e1b50c8453757a88d65cd1571d093ef8b85b18f01bdaeedab317679a
Instruction Fuzzy Hash: 1B4146313003159FC725EB70D454A6EB7E7FFC8284B058A2CD54ADB758EF31A80A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D30C50, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bb6e0359ddcd6c162b952735fa3e4b257d0f55cb1823c444226c2e33b77026
Instruction ID: fe53f8785182f80585966111ffebf2bb19d7c050e06f6258601ff4fe7b237056
Opcode Fuzzy Hash: 37bb6e0359ddcd6c162b952735fa3e4b257d0f55cb1823c444226c2e33b77026
Instruction Fuzzy Hash: A0418F71A002149FC748DB29D814A6EB7EBFBC8354B15C159D90AAF3A8DF709D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E6B8, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff7fa1ce725173b089ad330047fdf35af094cac0a18c5642438aad48c20f37f
Instruction ID: 0e510cde35c965b9f61ec34cbf9a87cf5cc52c4328ddb46d063941ea163f2416
Opcode Fuzzy Hash: 2ff7fa1ce725173b089ad330047fdf35af094cac0a18c5642438aad48c20f37f
Instruction Fuzzy Hash: 00413C30B041448FC718EB39D09492A77E2EFC934475684ADD18ADF3A5DE35DC46C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01D30C60, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa24d1de29fade1507c44e07a5201d3c373bdc3cfce1575caaeb9e396a11997
Instruction ID: ed00a5fbe7b5260a7bfe76abcc168b15386a8ce7585325f906157b74c7f162bf
Opcode Fuzzy Hash: eaa24d1de29fade1507c44e07a5201d3c373bdc3cfce1575caaeb9e396a11997
Instruction Fuzzy Hash: 26417E716002149FC748DF29D814A6EB7EBFBC8754B15C158D90EAB3A8DF70AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D306E0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2945e4f68aae0eaee12cf4270ee7ac85aacee618fd333172e2c53b22b5805256
Instruction ID: 57f6ad7f54a6d3a65b552fc791086a8f5c82f18697097edf3d1a7eb16f59829b
Opcode Fuzzy Hash: 2945e4f68aae0eaee12cf4270ee7ac85aacee618fd333172e2c53b22b5805256
Instruction Fuzzy Hash: 4D31B231F041055B9B59AB7C441066F36E7ABC8394B15C128EA1EDB7D4DF34CC0287E2

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DE30, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6acfdd48007b52dee859c0c3b2cc8c250ee93da963bcfcd788ee41a50276cb
Instruction ID: 6ba8e25cb230455cb418897717ff9759fceaebede3194402587c12e92722b8d3
Opcode Fuzzy Hash: ba6acfdd48007b52dee859c0c3b2cc8c250ee93da963bcfcd788ee41a50276cb
Instruction Fuzzy Hash: C5315935B00255AFCB15DF78D4849AEBBB2FF89214B1084A9E906CB369EB35DD11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DE40, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb05693454449eb79648dca2788145f22da1672a544214c340da39e09a0fca8
Instruction ID: 4418c021678e709b49d978a48878f93d9809fa3691260c1e89d7d3a0d7e17b8d
Opcode Fuzzy Hash: 3cb05693454449eb79648dca2788145f22da1672a544214c340da39e09a0fca8
Instruction Fuzzy Hash: AB318B35B00254AFCB15DF38D48496EBBB2FF89204B0084A9E905CB359EB31ED11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D38098, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126ad2ce1427c809eee2b6b893aeb421740bb7a8254761677f67e49ff7b9df59
Instruction ID: a1585fb1bab6747e82b958bf4c747eb76347b11e7c3ec3e56c524eb2f7cc13ae
Opcode Fuzzy Hash: 126ad2ce1427c809eee2b6b893aeb421740bb7a8254761677f67e49ff7b9df59
Instruction Fuzzy Hash: F3315C75B002088FC704EF79C4509AEB7F6FFC9250B108169E90AEB764DB31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D35A28, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55c00d9fb53974a8a2a6d61f7296ca56812c4e9e5e6f442e6369795a15b9c49
Instruction ID: 7a7559d4932af439775905132f2e6f6057bd91c1e734da6ff4beebdcae6cc3b1
Opcode Fuzzy Hash: d55c00d9fb53974a8a2a6d61f7296ca56812c4e9e5e6f442e6369795a15b9c49
Instruction Fuzzy Hash: 9821BF363003155BE719BB71A82463EA353FBC02A4F098C28C606AF38CEF719C0A8795

Uniqueness

Uniqueness Score: -1.00%

Function 036BEAE0, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c55a5ea249c5a4f08a5827fc2534a60a213d99de0b709e82be569bb6f9ecd02
Instruction ID: e14e56d5381fbab15d7c22d6c7db19515c0494f510d7a0d8ff9ed5bc9055801d
Opcode Fuzzy Hash: 1c55a5ea249c5a4f08a5827fc2534a60a213d99de0b709e82be569bb6f9ecd02
Instruction Fuzzy Hash: B7212C316066508FC702CB34E599ADD7FB1AF86321F0985A6E846CF351D731DC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01D32F27, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf32ab537ca68dc009ba2b496020152186e11b695c899b82b8940c797c2240b
Instruction ID: 6e134c2c2d591c209e28f4856c890c2ce437c72de6eeb398172c53c15484e918
Opcode Fuzzy Hash: 0cf32ab537ca68dc009ba2b496020152186e11b695c899b82b8940c797c2240b
Instruction Fuzzy Hash: 8621C231A043928FC7128F29D99055977E1FB953A0F0A42AAC445CF296EB39DC478BA5

Uniqueness

Uniqueness Score: -1.00%

Function 01D3EBD0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ef6b212eb1048f6d5071c447431a1686dca6f3103232b8752f14dc0fe34995
Instruction ID: 4a95c4f9cf06b2a002f219aabcd52bde3ce0191f6bfea1ed18d3978e09560a06
Opcode Fuzzy Hash: 64ef6b212eb1048f6d5071c447431a1686dca6f3103232b8752f14dc0fe34995
Instruction Fuzzy Hash: BD217931B005198F8B14EF79E4848AEB7E6EFD821071180BAE906DB361DB31DD16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D35B40, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5657b5e0372836670b53df71763f7ea6587490e7cb2458a48cb671f01b1bcd
Instruction ID: 150fa748ca12f8b753fe699387aadf913975b923fe220963d6c7c6136dca5312
Opcode Fuzzy Hash: fc5657b5e0372836670b53df71763f7ea6587490e7cb2458a48cb671f01b1bcd
Instruction Fuzzy Hash: 8811EE302003118FCB24DF78E44096EB7A9FFC5294B058A2ED5468B314EB759C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D3EA60, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229f5d2ace1d0fcc98ce9b323282363509213980363827bff2e247b41f9c1507
Instruction ID: d37346759086e9a775a2b04c0277a986e5588e2b9a30ce8e4eaf24146df84dfb
Opcode Fuzzy Hash: 229f5d2ace1d0fcc98ce9b323282363509213980363827bff2e247b41f9c1507
Instruction Fuzzy Hash: 9B113332B00219CBDB259B69D8587AEBBB6BBD9261F044029E506F3384DF705D56CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 036BFC4B, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4548f6d0278b1a909a01e09eaf867d168a2acc4a74040dda27f3f9ad663d8169
Instruction ID: 3617b2ff668bb00b52e271201d65d6bd958330dc014c240c52dcc42c5aecaa7a
Opcode Fuzzy Hash: 4548f6d0278b1a909a01e09eaf867d168a2acc4a74040dda27f3f9ad663d8169
Instruction Fuzzy Hash: D9216D31904208DFCB24CF94CD44BAABBFAEB49314F08846AE5198F661D375E994CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01D3EBCE, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28fd9ddab74477bc484f4c1cab5efa197151136d34363d6c2b6e977489ab3f5
Instruction ID: a14e1db8b75cf272e879d378c55f134bdfda1dc835d58669ab7b2f6e43ab78cc
Opcode Fuzzy Hash: e28fd9ddab74477bc484f4c1cab5efa197151136d34363d6c2b6e977489ab3f5
Instruction Fuzzy Hash: 64114831B005198F8B14EF78D4948AEB7F6EFD860071580AAE806EB365DB31DC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D3CD96, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54e8b5757ebaca87eb42d998bdc340cb3b52e096b75f1f34aad43a7c27096be
Instruction ID: 2dc95d4569d62f9bb8add335ace687bf1bfe6490339c2a322ca47e935d5da46f
Opcode Fuzzy Hash: c54e8b5757ebaca87eb42d998bdc340cb3b52e096b75f1f34aad43a7c27096be
Instruction Fuzzy Hash: 8211CE31B003516FC3159B39C884A2FB7A6FFC9250B14812EE046EB795CB70EC42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01D36AE8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa898bf1a3543e2389184917888ed856d9eee2d44a999b863412bfbb462cfe8
Instruction ID: aa38797965dc99c21f6b65b527a1a4dfbcbea42f459b844cdf44957e471c3914
Opcode Fuzzy Hash: baa898bf1a3543e2389184917888ed856d9eee2d44a999b863412bfbb462cfe8
Instruction Fuzzy Hash: 8A217970A002499FCF25CF99D4C48AAFBF6FF88320714856AD91997266D730E910CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01D3CD98, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986b8c155283b16844f5061158d09e81544a41d9d70f7fa4ed46ae290d872045
Instruction ID: 1aa51308a49cec6d043ecfa790e790e61166ad35faa7952303f184c543b97159
Opcode Fuzzy Hash: 986b8c155283b16844f5061158d09e81544a41d9d70f7fa4ed46ae290d872045
Instruction Fuzzy Hash: E811EC327003556FC315AB39C884A2FB7A6FFC9250B54812EE046AB795CB70EC42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01D30839, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca833e07a88243d619d2886f8b5f3e37924381eb706fb8020d8232383ac0d5d
Instruction ID: bdbcb1eec851386a4915c6c318bfe42c2c203036d3e03c6895a98343eb9ba3f0
Opcode Fuzzy Hash: 7ca833e07a88243d619d2886f8b5f3e37924381eb706fb8020d8232383ac0d5d
Instruction Fuzzy Hash: 96119E31B00219DFCB54EFA9D850AEEBBF1EFC8214B1081AAE404EB351D7359909CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 01D31770, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9e70b44275ed199ed181a942bd1ba439b84bb530ec365152ac278745490c52
Instruction ID: d650d47f3bf1d45b2db31267521c15b65807989e5e3c7dc930948393148804dd
Opcode Fuzzy Hash: cb9e70b44275ed199ed181a942bd1ba439b84bb530ec365152ac278745490c52
Instruction Fuzzy Hash: 91117C71E0021A9BDB25DF79D0183AEBBB2AF8D350F14C129D406A7291DBB48849CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01D35B50, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86d9ac20102b68e493d90579a6b46271e82dafb0f393d5cd27ed41f502505ae
Instruction ID: cc2e6c58f8d8e2171f69ab6f5d881b240f6650f4d65f18f3b742a5200eea6d4c
Opcode Fuzzy Hash: f86d9ac20102b68e493d90579a6b46271e82dafb0f393d5cd27ed41f502505ae
Instruction Fuzzy Hash: 55119A753003158FCB24DF68E48492EB7AAFFC8298B054A2DD64A9B704EB75EC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 01D34E59, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5590937bd206a24714fb0434a6aa2dd69312c6916e3f9bb626fd40252557cfe9
Instruction ID: b573bdf9fc9e8c55ff77a5b600da6ea4598de7462362f9025cd18498110fd4c2
Opcode Fuzzy Hash: 5590937bd206a24714fb0434a6aa2dd69312c6916e3f9bb626fd40252557cfe9
Instruction Fuzzy Hash: 0811BE302047458FC725EF34C44080EB7A2FFC12983058E6DD15ADB2A9EB71AC06CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01D37FF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb00180c612f033d20cebc44f671c586925f3193721787c9fdcb72129a33002
Instruction ID: 593024d1892569ee847a12e643dd6e3d145ccf504ecb9dec7400cdd2c435e55e
Opcode Fuzzy Hash: 3bb00180c612f033d20cebc44f671c586925f3193721787c9fdcb72129a33002
Instruction Fuzzy Hash: 4301D2707043506FC3559A7DD814A2ABBE6FFDA290B11807EE50ADB395EA309C02C765

Uniqueness

Uniqueness Score: -1.00%

Function 01D3CD4F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e0ad989e6ca93e7602da813102856e291af8957e44fcf688479984c69b3a37
Instruction ID: 7964f7a745ef040ec233f826e648ab390477705f59b925dbe802a328838826e2
Opcode Fuzzy Hash: 20e0ad989e6ca93e7602da813102856e291af8957e44fcf688479984c69b3a37
Instruction Fuzzy Hash: A3118835B001058FDB14CF78D484AADBBF2BF88314F1581AAE915AB3A1DB31DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01D31780, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72001cf3e548a088eece1a174b117ad29637c4141ec50df887dd014dd42fe98
Instruction ID: 7ffe766e2ecb7b0c51e5eba00df8c4da3d64a98d2908d3c33d50dfd28032941e
Opcode Fuzzy Hash: c72001cf3e548a088eece1a174b117ad29637c4141ec50df887dd014dd42fe98
Instruction Fuzzy Hash: 23116D71E0020A9BDB26DF69D4183EEBBB6AF8D341F14C029D402B7351DFB48848CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01D34E68, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d39178d3ef51b213c177167c03294edfa07865927b975ba15f52c52dbc77499
Instruction ID: 2e294cc73aff57526ce2e3e51f4c9e03aec6b7d3f2bd2f890a3452445a059e44
Opcode Fuzzy Hash: 4d39178d3ef51b213c177167c03294edfa07865927b975ba15f52c52dbc77499
Instruction Fuzzy Hash: E21188312047469F8724EB34D44081EB7A6FFC02983158E2CD15E9B668EB71B80A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 01D3F73C, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6fd5e2e7efc6b818a4bce9c9b32311a6c2fbba1225a398c8ca44128e9dd1a0
Instruction ID: 1b81e0abde9d98498ac8f99070db2ba4e683d6a5f4484fff20343118171d508a
Opcode Fuzzy Hash: fc6fd5e2e7efc6b818a4bce9c9b32311a6c2fbba1225a398c8ca44128e9dd1a0
Instruction Fuzzy Hash: 2601A7321083E42FCB529EA95C248FF7FECDE8E221709419BF994C6192C02CC911DB70

Uniqueness

Uniqueness Score: -1.00%

Function 01D38000, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e2a03e189dbe09228a8c218601e63ee2563812f656fa2344cd49ce846f8167
Instruction ID: 8a39695976045deecc8f4762685412ca9b38b657ff1587acf79bef28a677387f
Opcode Fuzzy Hash: 99e2a03e189dbe09228a8c218601e63ee2563812f656fa2344cd49ce846f8167
Instruction Fuzzy Hash: 31018FB07002146BC314967A9814A2AB6DAFBD9290B10802DE60ED7384ED31DC028365

Uniqueness

Uniqueness Score: -1.00%

Function 01D31229, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c960379fd20038961d3fe4e5fe1a42e1902189b3944f5fb7960b55ae430b438
Instruction ID: 2dd0d88b8f63e615965f3e8842a05b91556fb64af1010dcb2ef0766d37f8bcc6
Opcode Fuzzy Hash: 1c960379fd20038961d3fe4e5fe1a42e1902189b3944f5fb7960b55ae430b438
Instruction Fuzzy Hash: 98012676B043225FFB22492A9C61ABB3E97EFC4260B0A416AEA45C3141C636CC11D360

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E9D8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806511266a42b2112b74cb23b59b92a9d39da0174f0f9efc4fb9c1248d8050e1
Instruction ID: b5b07c4ad6587c021d2b288fa7610623b17daa208c53355c61a3d61942432618
Opcode Fuzzy Hash: 806511266a42b2112b74cb23b59b92a9d39da0174f0f9efc4fb9c1248d8050e1
Instruction Fuzzy Hash: 190117317042048FCB54DF2AD48491ABBFAFF8826471A84AAE506CB376DB71EC028B50

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E9D6, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837e674cd09ed3a93a7dda7eda9d67857b6cf4a5a8b49b07a07dac3dcbded9b
Instruction ID: b984826df5b4e582870c61738dd6eb55e4e5f7ea569f4ccd7366269a86fab55e
Opcode Fuzzy Hash: 5837e674cd09ed3a93a7dda7eda9d67857b6cf4a5a8b49b07a07dac3dcbded9b
Instruction Fuzzy Hash: 820113317002148FCB54DF29D88496ABBF5FF8826471A85AAE506CB376DB71EC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01D304C1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e2d192abff5be03a54badae055acc80dbdf05863733af044341d09c2b827b3
Instruction ID: ba05ef806f00aa1dcb830e68f6bf6c0f8ba7a8e2f39477d06edb772610cd213a
Opcode Fuzzy Hash: 12e2d192abff5be03a54badae055acc80dbdf05863733af044341d09c2b827b3
Instruction Fuzzy Hash: 6F01B571A042189BCB08CF69C844AEEF7F6ABCC720F25856DE401B7395DB71AD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01D381B8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f94624e4112f0f7a8c2fe046e69071c6561d12622476fec0bcde63db79f6b6
Instruction ID: 77d076635d7e38dabacc4103b8d1d82d98c36f587473cf4dddaedef6ff4f506a
Opcode Fuzzy Hash: 29f94624e4112f0f7a8c2fe046e69071c6561d12622476fec0bcde63db79f6b6
Instruction Fuzzy Hash: 77F068323042599F9714DFA5EC40C9FB7A9FFC8275710893AE619D7254EB31E811D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01D31238, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48da682b7ea519ee20ef60fee208d2da0e07c79f8f8728143be95f2fb982351e
Instruction ID: 3c31dc989b82ff8626098186e55396ca40a130c905e00ed577ba37090953f966
Opcode Fuzzy Hash: 48da682b7ea519ee20ef60fee208d2da0e07c79f8f8728143be95f2fb982351e
Instruction Fuzzy Hash: 23F0B47BB042266BFB11485B5C61BBF6A8BEBC86A1F494125EE05C2240C576CD51E3A0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DDC0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e87d1695807b26c6dd3bf3d47979bb1d2e9e737b6f6333fde4108f8ded3b422
Instruction ID: e37634b5af8df60cf2f2ada70732579f28bfed2e1fe2a5362d6a0905a3ea62ae
Opcode Fuzzy Hash: 9e87d1695807b26c6dd3bf3d47979bb1d2e9e737b6f6333fde4108f8ded3b422
Instruction Fuzzy Hash: A301D134701B01CFCB259AB9E408527BBE7FFC8208784882CD48286A14FB75E481CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D381A8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ef13fd138d9bd870d8692ea9b14f34a146f98fbc0c8a7fbd2dd507a4d06e69
Instruction ID: eb7f5e7457c57eb3045bb2396edbed6d5fcd466892d747c723c72baf87d6161d
Opcode Fuzzy Hash: 52ef13fd138d9bd870d8692ea9b14f34a146f98fbc0c8a7fbd2dd507a4d06e69
Instruction Fuzzy Hash: F301C8322092469FCB01CF74DC408EFBBF5FF882A4705892AE508D7264EB319D11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01D3C788, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ee1a4878e4096b0c136d44054e6fdf59bb9bf50214518eb27f2b4496fcc6a4
Instruction ID: be47718043c50e572ef23989628e3fe74d2b806e3d4ad3f210063fd8538a84d7
Opcode Fuzzy Hash: 47ee1a4878e4096b0c136d44054e6fdf59bb9bf50214518eb27f2b4496fcc6a4
Instruction Fuzzy Hash: 1FF062313002244F8755E778E0508AF73E7EFC5298705492DD54AEB758EF24AD0A87E5

Uniqueness

Uniqueness Score: -1.00%

Function 01D3C790, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe8c1c9a8286e0ca12b6dfde4c24262b2bcb46008adcc8a23090b442ea24ba9
Instruction ID: b1c0383a70581a5ba8d3569949bf513adb3e32799f27dff6e574d124e5bf41ba
Opcode Fuzzy Hash: cbe8c1c9a8286e0ca12b6dfde4c24262b2bcb46008adcc8a23090b442ea24ba9
Instruction Fuzzy Hash: 8CF09A323042144B8755EB78E09086FB3D7EBC92983014928D60AEB758EF24AD0A83E6

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DDB0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39476a2dfe36c7de4332b041e2e4b54485bf87c62b3b4fb47763703f411edee7
Instruction ID: 95eb94436455ab6b533bf3b501ca86f6f8cbbf2211f80efeac644639fa20fc1e
Opcode Fuzzy Hash: 39476a2dfe36c7de4332b041e2e4b54485bf87c62b3b4fb47763703f411edee7
Instruction Fuzzy Hash: B4F02431605B00CFCB318E68E404573BBB2BFC4304B44887EC88286925E375E845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DF98, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5dbfde4431397b7cd5a64c03e9727c23f39a1231efad9654a0302194be19bf
Instruction ID: 7fd77ddf6d1ec61c382a725f66facb922afece45b7c68baa07d3f049bf683910
Opcode Fuzzy Hash: ea5dbfde4431397b7cd5a64c03e9727c23f39a1231efad9654a0302194be19bf
Instruction Fuzzy Hash: 26F09A362006428FC7128B08E090CD9BBB6ABC635034AC1ABE505CB376DB31E956CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01D3C606, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657171d8d6ba5c6c62b114bda0b10ff08d2a3d93c871b9dadb0de734754e0e99
Instruction ID: a6bb767b3f26ee146d83b820ce4c4ea0ec15a0a9f6261cd88e52c9cce1826e1f
Opcode Fuzzy Hash: 657171d8d6ba5c6c62b114bda0b10ff08d2a3d93c871b9dadb0de734754e0e99
Instruction Fuzzy Hash: 78F082306146910FD354FB74D02064E736BBFD0294F11CE28818A6BAACDF74EE0947A4

Uniqueness

Uniqueness Score: -1.00%

Function 01D3FF30, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa7bd98934b23173fb32001b671c586ff973e96b61121ea8cea1057216f6d88
Instruction ID: 70240fa27ba3baf6c8ac2fd94ae43a150f71d858a27cb16db9bc1e5df6d852a6
Opcode Fuzzy Hash: 6aa7bd98934b23173fb32001b671c586ff973e96b61121ea8cea1057216f6d88
Instruction Fuzzy Hash: D6E09B37A08BB90DE732567C60143A2BFD48B87225F0C8A9AD98D81581D555D55D87C1

Uniqueness

Uniqueness Score: -1.00%

Function 01D3DF51, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51db1e08461951061a67e36fb29133cb9e76c4fdbd45073e91427b2cd712130e
Instruction ID: b7f1afe70771b10e211d3b0cd3057b8ead520f085135112bd17887d68dcf76c3
Opcode Fuzzy Hash: 51db1e08461951061a67e36fb29133cb9e76c4fdbd45073e91427b2cd712130e
Instruction Fuzzy Hash: 94E0ED7320C3509FD355DA24A841997B7E5EB95320B15C86EE844D7284E731E842CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E679, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4a0aa14cf9dcd2ae0b2e5cbbc32710fe148572113cf2c5a63de2c7dbc552d2
Instruction ID: 25ff1bd753e6dcc9996403cf1eca4233ef1f2c37b03731f67491d3abca6245ac
Opcode Fuzzy Hash: 0f4a0aa14cf9dcd2ae0b2e5cbbc32710fe148572113cf2c5a63de2c7dbc552d2
Instruction Fuzzy Hash: F8E07D716147414FCB218739E8008FE77F5DFC5250B06886FD54AC71B5DB209C05C740

Uniqueness

Uniqueness Score: -1.00%

Function 01D35C30, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd5adcb13dcd5747b7686ee17303692a0f3a7d72d750df6e9186b96895cdedc
Instruction ID: c6ede6f9acc2b6987e133408c42ec01b762fd3da101e25b9edcc87d8c021705f
Opcode Fuzzy Hash: 3bd5adcb13dcd5747b7686ee17303692a0f3a7d72d750df6e9186b96895cdedc
Instruction Fuzzy Hash: E3E0AE70E04208ABCF94DBB8E4485DDBBF1AB8A344F0085AAD909E3344EA352A199B44

Uniqueness

Uniqueness Score: -1.00%

Function 01D35C38, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ec14f2dce72849bbc4bf8fb2334aa5b9848dba8955c0ccb6a5ab986e47e754
Instruction ID: e72681808bb2b18ba2f08c2cafdea735f101f8b128901e5d1c10fe46e78daeb0
Opcode Fuzzy Hash: 43ec14f2dce72849bbc4bf8fb2334aa5b9848dba8955c0ccb6a5ab986e47e754
Instruction Fuzzy Hash: 6CE0B674E0420CAFCB44EFB8E44449DBBF5EB48204F0085EEA949E7344EB346A14CF85

Uniqueness

Uniqueness Score: -1.00%

Function 01D3E688, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a501809c4605c74fe994a569e33ea59b379c5622f894bb62cef50fb786e38a22
Instruction ID: a38748ef4bdde4e2ade0b9b9dc722ce75be18758853e8dcfa4f2459b65db144d
Opcode Fuzzy Hash: a501809c4605c74fe994a569e33ea59b379c5622f894bb62cef50fb786e38a22
Instruction Fuzzy Hash: 05D0A771204716578B24972BD4408AFB3D9EFC81A53058C29D60AC7658DF70FC0187C4

Uniqueness

Uniqueness Score: -1.00%

Function 01D37C50, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8787a742ce12a71dc2f73ffeb66dde84be97d4e0bc3c7d413e560b88fa7846
Instruction ID: 84951385ae939453dba50cedaf3158c6f69dd80387d4f801dba4853d7bc7458d
Opcode Fuzzy Hash: eb8787a742ce12a71dc2f73ffeb66dde84be97d4e0bc3c7d413e560b88fa7846
Instruction Fuzzy Hash: 70D05EA11097C40EE74242288C903863FA26BAA301F4F019A42C5CB7D6E59E4C4AC762

Uniqueness

Uniqueness Score: -1.00%

Function 01D31970, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ad0f48748840f2cdec172713b68a489c031679db71c4fcf60f353c0a929298
Instruction ID: 6d7d337f18c2172b22d76c122df2809f9c910daa4359eab5563657578e99edfd
Opcode Fuzzy Hash: 61ad0f48748840f2cdec172713b68a489c031679db71c4fcf60f353c0a929298
Instruction Fuzzy Hash: 68D05E3010C7A58FCB57FF38A96209D77B0AF82650302499EC4818F59EEB280D0AC796

Uniqueness

Uniqueness Score: -1.00%

Function 01D36CE0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999f6afa3298e40d90ac8ec5dcc59fdfe6baae3a1d5332b46adebbf85bdab2b2
Instruction ID: 1fb1797e8aa6e9ea60ba2374a51db2142a5dff2b574aa97b60db283b35ab7341
Opcode Fuzzy Hash: 999f6afa3298e40d90ac8ec5dcc59fdfe6baae3a1d5332b46adebbf85bdab2b2
Instruction Fuzzy Hash: D7D0A730019344DFC7524B70D4530517BB0AE4223032587EFD056CB1A2CA659C03CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01D35C00, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42bf114b9b77f3e369ab0c02a7c6694c21a49a4b0df87d7b02d040dad7f8af2
Instruction ID: ee9068da84a63180b84534df01c7d4d31f4b6156b78efa470f12c0a6566be60f
Opcode Fuzzy Hash: e42bf114b9b77f3e369ab0c02a7c6694c21a49a4b0df87d7b02d040dad7f8af2
Instruction Fuzzy Hash: 00D0A7308493485FC781CB68D40209C7BB49B4222430241EFE548CB221D2394C038B51

Uniqueness

Uniqueness Score: -1.00%

Function 01D31827, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b13b3706d10ced472d857931fb9ea9116303dca08c99fcc7c52600a8fc4887a
Instruction ID: 1369ee0c0f2707061634b0642f74b928f0e0b0faee975d8eecdd7042dd95ad20
Opcode Fuzzy Hash: 5b13b3706d10ced472d857931fb9ea9116303dca08c99fcc7c52600a8fc4887a
Instruction Fuzzy Hash: ABD0A736B000184F4F01D6F4F9000ECB772EBC9260F000161DC047B304CA252E144BE5

Uniqueness

Uniqueness Score: -1.00%

Function 01D37728, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488a71d53f823722a639e360b76f13b8d4d27b31b9af2411c3eff93221478c7c
Instruction ID: 1fedb8c8627dd3266d981bef0612510d097cdf5fd44a3d9d8722eec6fe024b59
Opcode Fuzzy Hash: 488a71d53f823722a639e360b76f13b8d4d27b31b9af2411c3eff93221478c7c
Instruction Fuzzy Hash: 9FD0C97014E3C64EDB13A734D40815C7F629B56258B0915DAD1C48A267E7A50828C71D

Uniqueness

Uniqueness Score: -1.00%

Function 01D30460, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db895b162fb6e63fd72cb68dfa4cb579d9c372927aa5e7061f2ef11bbe0b7bc
Instruction ID: 35897adf329cb22ecc454a1da4a308ed52552819d346d9e801324ed80c6e8866
Opcode Fuzzy Hash: 0db895b162fb6e63fd72cb68dfa4cb579d9c372927aa5e7061f2ef11bbe0b7bc
Instruction Fuzzy Hash: B6C08C310483A24FE7864B6828A00C0BBE1ED0252038A42C5C4C08B287E20C0D0B86A1

Uniqueness

Uniqueness Score: -1.00%

Function 01D36713, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b3204452574cc1855ed0339f6bbdc0f6a818bbbd1a81a0a20c89f2e1475949
Instruction ID: cf9a4c998b209868d550879a42689bfd53ad81248e66bbca059766aaeecca784
Opcode Fuzzy Hash: 00b3204452574cc1855ed0339f6bbdc0f6a818bbbd1a81a0a20c89f2e1475949
Instruction Fuzzy Hash: 65C08C300283088FCBA09F70F08009C73A1AA80294B004639C509990189B3218118B00

Uniqueness

Uniqueness Score: -1.00%

Function 01D37700, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188247e4403ab6410a8380504feb6a03915a0eec956649f79471efe6e41d41c3
Instruction ID: 1a34e0d2625540670f6355f5b2918204548f53870232b0d7335ab362e3ba646f
Opcode Fuzzy Hash: 188247e4403ab6410a8380504feb6a03915a0eec956649f79471efe6e41d41c3
Instruction Fuzzy Hash: 6DC012A190E3895FD701C63681646517BA09F6220872A40CA91048F152E2694C018751

Uniqueness

Uniqueness Score: -1.00%

Function 01D37C60, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a6c868e2b8e9c84248dee5d17828ed7057bfa32dfb1346edb78e4dbc2772f4
Instruction ID: 779d929d21d4363e3e41e130f5ba0d96fbe1a3cd2726e913236b83fbf6da172d
Opcode Fuzzy Hash: d7a6c868e2b8e9c84248dee5d17828ed7057bfa32dfb1346edb78e4dbc2772f4
Instruction Fuzzy Hash: D8C08CB82042004FD3048B20C844A2F7AE2EBE8302F4AC01A92458B228DA748882DB65

Uniqueness

Uniqueness Score: -1.00%

Function 01D36718, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c578096b0aeb9cb3048e2a496b755ca8d06a34038289ab0d12049058198fb7
Instruction ID: 848426d5a7b2f3c88642a6be4126868f178d159831cc946d1f80699ef3e96340
Opcode Fuzzy Hash: 92c578096b0aeb9cb3048e2a496b755ca8d06a34038289ab0d12049058198fb7
Instruction Fuzzy Hash: 97B0123000824D4F8A50AFB1F40445C735DA5401487401610930D9E51D7F6928204788

Uniqueness

Uniqueness Score: -1.00%

Function 01D37738, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbc61b0bbb53b2d8ccfb1dd94461c306b64a7be8b40a962cd17238ddf0ca12f
Instruction ID: d00224b3d76e7b0bd564a79652996bfb8d29ff14448ed0369fa4637ddab38c7f
Opcode Fuzzy Hash: 7cbc61b0bbb53b2d8ccfb1dd94461c306b64a7be8b40a962cd17238ddf0ca12f
Instruction Fuzzy Hash: 77B0123000520E8F8E50BF72F40542C335DE5801487800511A30C5F11D7F682814C7C8

Uniqueness

Uniqueness Score: -1.00%

Function 01D366EB, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc829a8ad4327a2cbe78c27d672b6e57e652f9c266d8d21645ed682130f22cd
Instruction ID: 5d28d157a14f1a7c4eeef29f4ae7414e4af1ce6c5b6e695d7641b36e1d218753
Opcode Fuzzy Hash: 5bc829a8ad4327a2cbe78c27d672b6e57e652f9c266d8d21645ed682130f22cd
Instruction Fuzzy Hash: 34B09B20A141184FCB00C939D05565572D5ABC120CF365159511C5B545E5375C054591

Uniqueness

Uniqueness Score: -1.00%

Function 01D36CF0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.564472033.0000000001D30000.00000040.00000001.sdmp, Offset: 01D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d30000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b061cd83d31cd4ff7717378e936fd0f310d2e4e8e7e9853c7f521fe8c0938c8b
Instruction ID: 1a1197548eb328ced13e22e3d45a29c127e01b1e8e6a86a9cc38692afe5cb759
Opcode Fuzzy Hash: b061cd83d31cd4ff7717378e936fd0f310d2e4e8e7e9853c7f521fe8c0938c8b
Instruction Fuzzy Hash: E2B012320143088783025758FC46511B3AC5641634334439CB13E4E2D1CEA2F822C744

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036B04D8, Relevance: 1.0, Instructions: 1018COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf3376dd5415f42e7dabae485a55a502408fff1214b7b7b76b7b690b940a462
Instruction ID: eea4f3cedbd9ddce25f111425a0f0c9296214fa7e173e55a27709aaa649ebc0e
Opcode Fuzzy Hash: baf3376dd5415f42e7dabae485a55a502408fff1214b7b7b76b7b690b940a462
Instruction Fuzzy Hash: 8E926931A042458FCB15DF69C584AAEFBF2FF88304B1989AAD4459B756DB30EC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 036B18D0, Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64913f167f7147ca9a4475027ccd5db1406d500440908290fc7c3ea20ec6715a
Instruction ID: 9639a87b70f3f793a4724b77b1e053bcf832938ecd556c6f61647a0fce69a933
Opcode Fuzzy Hash: 64913f167f7147ca9a4475027ccd5db1406d500440908290fc7c3ea20ec6715a
Instruction Fuzzy Hash: EB424A30B002449FCB15DF68C598AAEBBF2BF89340F158469D556DB3A5DB70EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 036B25A0, Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae318d44295054ad9e98105a5e7766b3255c0392075424ab27a095b67c5318f
Instruction ID: 82df5aedec95dca08439e1366764dc6b483c56ddd2521e4a5634efc0de2f5eac
Opcode Fuzzy Hash: 9ae318d44295054ad9e98105a5e7766b3255c0392075424ab27a095b67c5318f
Instruction Fuzzy Hash: BA223930A00219CFCB29DF64C998AADBBF2BF49344F5484A9E809AB355DB31DD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 036B1170, Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.567407561.00000000036B0000.00000040.00000001.sdmp, Offset: 036B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36b0000_y3t4g48gj6_PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e3fa92d8bc80d2f5ee2d353035d100a9b2a727bf53007660fbf92b59e0cfdf
Instruction ID: e0683b98030a0a5f36b0ab1e04574d09f666554c42ee264674e2f092999912a2
Opcode Fuzzy Hash: 73e3fa92d8bc80d2f5ee2d353035d100a9b2a727bf53007660fbf92b59e0cfdf
Instruction Fuzzy Hash: A2123874A002459FCB14DF68C594AAEBBF2FF89300B1AC499E549EB366D730ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report y3t4g48gj6_PAYMENT.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos