Play interactive tour

Edit tour

Analysis Report y3t4g48gj6_PAYMENT.exe

Overview

General Information

Sample Name:	y3t4g48gj6_PAYMENT.exe
Analysis ID:	411514
MD5:	9998f7e0c708ba1fa4b56235a9811c0f
SHA1:	e3810d21600bb0113b2d7116347326beb6a35d83
SHA256:	9f44f33f1b0b724292959b65ae6f2918cb1993641ad7832ffdbd68fc00fdda2c
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

y3t4g48gj6_PAYMENT.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

powershell.exe (PID: 4668 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1912 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6336 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4752 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

y3t4g48gj6_PAYMENT.exe (PID: 6644 cmdline: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

y3t4g48gj6_PAYMENT.exe (PID: 6868 cmdline: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

WerFault.exe (PID: 5760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6824 cmdline: 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

svchost.exe (PID: 4696 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6396 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5980 cmdline: 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' MD5: 9998F7E0C708BA1FA4B56235A9811C0F)

svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5280 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f8dffc54-5ec5-4013-9de8-d8d85368", "Group": "CODEDBASE", "Domain1": "omaprilcode.duckdns.org", "Domain2": "omaprilcode.duckdns.org", "Port": 8090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3bf37d:$x1: NanoCore.ClientPluginHost 0x3bf3ba:$x2: IClientNetworkHost 0x3c2eed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bf0e5:$a: NanoCore 0x3bf0f5:$a: NanoCore 0x3bf329:$a: NanoCore 0x3bf33d:$a: NanoCore 0x3bf37d:$a: NanoCore 0x3bf144:$b: ClientPlugin 0x3bf346:$b: ClientPlugin 0x3bf386:$b: ClientPlugin 0x3bf26b:$c: ProjectData 0x3bfc72:$d: DESCrypto 0x3c763e:$e: KeepAlive 0x3c562c:$g: LogClientMessage 0x3c1827:$i: get_Connected 0x3bffa8:$j: #=q 0x3bffd8:$j: #=q 0x3bfff4:$j: #=q 0x3c0024:$j: #=q 0x3c0040:$j: #=q 0x3c005c:$j: #=q 0x3c008c:$j: #=q 0x3c00a8:$j: #=q
Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5ecfd3:$x1: NanoCore.ClientPluginHost 0x5ed034:$x2: IClientNetworkHost 0x5f2439:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6003ab:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5ecad8:$a: NanoCore 0x5ecaf4:$a: NanoCore 0x5ecc4f:$a: NanoCore 0x5ecc5e:$a: NanoCore 0x5ecf37:$a: NanoCore 0x5ecf63:$a: NanoCore 0x5ecfd3:$a: NanoCore 0x5fca15:$a: NanoCore 0x5fca27:$a: NanoCore 0x5fca63:$a: NanoCore 0x5ecb7f:$b: ClientPlugin 0x5ecca8:$b: ClientPlugin 0x5ecf6c:$b: ClientPlugin 0x5ecfdc:$b: ClientPlugin 0x5fca30:$b: ClientPlugin 0x5fca6c:$b: ClientPlugin 0x5ecdf5:$c: ProjectData 0x5fc962:$c: ProjectData 0x20a6b44:$c: ProjectData 0x20a993b:$c: ProjectData 0x5edf31:$d: DESCrypto
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 3 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe, ProcessId: 6868, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' , ParentImage: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe, ParentProcessId: 7028, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force, ProcessId: 4668

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f8dffc54-5ec5-4013-9de8-d8d85368", "Group": "CODEDBASE", "Domain1": "omaprilcode.duckdns.org", "Domain2": "omaprilcode.duckdns.org", "Port": 8090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: y3t4g48gj6_PAYMENT.exe

ReversingLabs: Detection: 14%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: y3t4g48gj6_PAYMENT.exe

Joe Sandbox ML: detected

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.405369996.0000000000C5B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbX source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: ml.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Dynamic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbv}F source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbl}L source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Dynamic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: psapi.pdbGLK source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb\| source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbULY source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbILM source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb^}~ source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: indows.Forms.pdb{{ source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb8 source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: t.CSharp.pdb&& source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ynamic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: p8C:\Windows\System.Core.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: urlmon.pdb/Lc source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbtXm. source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562854544.0000000001A5B000.00000004.00000020.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: .pdb0 source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb= source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdbV source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb;L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb`}p source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000014.00000003.460718316.0000000005078000.00000004.00000040.sdmp
Source:	Binary string: pe.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbx}X source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb#L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: profapi.pdbj}J source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbCv source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb1Le source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: c.pdbisualB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbR}b source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: version.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp
Source:	Binary string: t.CSharp.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3hl source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbp source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbT}d source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: omaprilcode.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: omaprilcode.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49735 -> 194.5.97.75:8090

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.496979181.00000193D7565000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001B.00000003.496979181.00000193D7565000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000002.518563140.00000193D7515000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.474278546.00000193D7580000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":541214496,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6","PackageId":"b3805e6c-7a08-4cff-113c-76cb28cda307-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":541214496,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6","PackageId":"b3805e6c-7a08-4cff-113c-76cb28cda307-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":541214496,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6","PackageId":"b3805e6c-7a08-4cff-113c-76cb28cda307-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001B.00000003.475043842.00000193D751E000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.474464763.00000193D7561000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.475043842.00000193D751E000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":140842379,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_970.11.116.0_x64__8xx8rvfyw5nnt","PackageId":"7f326ffb-6d38-0c43-2776-11d49b129880-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_970.11.116.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.bac

Source: unknown

DNS traffic detected: queries for: omaprilcode.duckdns.org

Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 0000001B.00000002.518530642.00000193D7500000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 0000001B.00000002.518530642.00000193D7500000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000001F.00000002.643801332.000001F18E412000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 0000001B.00000002.512670902.00000193D6C82000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 0000001B.00000002.514011239.00000193D6CEA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000001F.00000002.643801332.000001F18E412000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: svchost.exe, 0000001F.00000002.643801332.000001F18E412000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 0000001F.00000002.644438974.000001F18E630000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493537589.00000193D7566000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000003.511991021.000000000552F000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: y3t4g48gj6_PAYMENT.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: y3t4g48gj6_PAYMENT.exe

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036BF5A8
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B1170
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B18D0
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B25A0
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B04D8

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: invalid certificate

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000000.321602634.0000000001372000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWEMZ Fyj.exe2 vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.635619861.0000000006BD0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 0000000C.00000002.378845446.00000000005F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 0000000E.00000003.418531659.00000000014F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe, 0000000E.00000000.382673075.0000000000E02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe
Source: y3t4g48gj6_PAYMENT.exe	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs y3t4g48gj6_PAYMENT.exe

Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.evad.winEXE@32/27@3/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210511

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f8dffc54-5ec5-4013-9de8-d8d853682f44}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw1y3y53.hqg.ps1

Jump to behavior

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: y3t4g48gj6_PAYMENT.exe

ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File read: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780
Source: unknown	Process created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: y3t4g48gj6_PAYMENT.exe

Static file information: File size 3867176 > 1048576

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3ae400

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.405369996.0000000000C5B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbX source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: ml.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Dynamic.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbv}F source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbl}L source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.Dynamic.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: psapi.pdbGLK source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb\| source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbULY source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbILM source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.CSharp.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb^}~ source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: indows.Forms.pdb{{ source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb8 source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: t.CSharp.pdb&& source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ynamic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: p8C:\Windows\System.Core.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: urlmon.pdb/Lc source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbtXm. source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562854544.0000000001A5B000.00000004.00000020.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: .pdb0 source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb= source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdbV source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb;L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb`}p source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000014.00000003.460718316.0000000005078000.00000004.00000040.sdmp
Source:	Binary string: pe.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbx}X source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb#L source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.401704873.0000000000C25000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: profapi.pdbj}J source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbCv source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb1Le source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: c.pdbisualB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbR}b source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: version.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.562679881.0000000001A4E000.00000004.00000020.sdmp
Source:	Binary string: t.CSharp.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3hl source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 00000014.00000003.460803167.000000000507A000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.PDB source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.555982206.0000000001737000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.461717043.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.460989200.0000000004F21000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbp source: WER40BE.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000014.00000003.461472614.0000000005065000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000014.00000002.537874991.00000000051F0000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000014.00000003.460331688.0000000005061000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbT}d source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp, WER40BE.tmp.dmp.20.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.461528304.0000000005068000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000014.00000003.460065947.000000000506C000.00000004.00000040.sdmp

Source: y3t4g48gj6_PAYMENT.exe

Static PE information: 0xD9F65925 [Sat Nov 17 01:55:49 2085 UTC]

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_01D3F730 push esp; retf
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_01D3EBCC pushfd ; ret
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Code function: 1_2_036B4CC8 push B40368FCh; ret

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown

Executable created and started: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File created: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5

Jump to behavior

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File opened: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Section loaded: OutputDebugStringW count: 215
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Section loaded: OutputDebugStringW count: 115

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4199
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2736
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3961
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3027
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4137
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2248
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Window / User API: threadDelayed 3531
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Window / User API: threadDelayed 5320
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Window / User API: foregroundWindowGot 354

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe TID: 7032	Thread sleep count: 100 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1724	Thread sleep count: 3961 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 956	Thread sleep count: 3027 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 40 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6020	Thread sleep count: 4137 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6020	Thread sleep count: 2248 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep count: 63 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe TID: 5724	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe TID: 5692	Thread sleep time: -400000s >= -30000s
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe TID: 6816	Thread sleep count: 100 > 30
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe TID: 5720	Thread sleep count: 100 > 30
Source: C:\Windows\System32\svchost.exe TID: 5360	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 780	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread delayed: delay time: 922337203685477

Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: powershell.exe, 00000003.00000003.590449724.0000000005756000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.593349676.00000000055E4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: svchost.exe, 0000001F.00000002.644130404.000001F18E462000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: WerFault.exe, 00000014.00000002.521043498.0000000001240000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.512350033.00000193D6C70000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.639501236.000001F188E2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.632793940.0000000005D00000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: VMwareVBox
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001B.00000002.513210300.00000193D6CA8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: WerFault.exe, 00000014.00000003.426622810.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000002.00000002.339785847.00000183AEF40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.411970104.0000020872540000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.534003099.0000000004D20000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.447874029.0000019E2AD40000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.527402070.00000193D7C00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000003.00000003.590449724.0000000005756000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.593349676.00000000055E4000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Memory written: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Process created: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: y3t4g48gj6_PAYMENT.exe, 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: y3t4g48gj6_PAYMENT.exe, 0000000E.00000003.418531659.00000000014F0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: y3t4g48gj6_PAYMENT.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.y3t4g48gj6_PAYMENT.exe.4a901f0.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder11	Process Injection111	Masquerading221	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools11	LSASS Memory	Security Software Discovery331	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion251	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion251	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
y3t4g48gj6_PAYMENT.exe	15%	ReversingLabs	Win32.Trojan.Generic
y3t4g48gj6_PAYMENT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
omaprilcode.duckdns.org	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
omaprilcode.duckdns.org	3%	Virustotal		Browse
omaprilcode.duckdns.org	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
omaprilcode.duckdns.org	194.5.97.75	true	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
omaprilcode.duckdns.org	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000003.511991021.000000000552F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493537589.00000193D7566000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000003.482507210.000000000812F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 0000001F.00000002.644438974.000001F18E630000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000001B.00000003.462561929.00000193D7577000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.463207761.00000193D758D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.462293843.00000193D756D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000001B.00000003.494731203.00000193D751E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.494312984.00000193D75AB000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000014.00000003.444890733.0000000005230000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.75	omaprilcode.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411514
Start date:	11.05.2021
Start time:	23:52:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 31s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	y3t4g48gj6_PAYMENT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@32/27@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.5% (good quality ratio 0%) Quality average: 0.3% Quality standard deviation: 3.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.64.90.137, 92.122.145.220, 20.82.210.154, 92.122.213.194, 92.122.213.247, 93.184.221.240, 51.103.5.186, 52.155.217.156, 20.54.26.129, 40.126.31.141, 20.190.159.136, 20.190.159.134, 40.126.31.139, 20.190.159.138, 40.126.31.143, 40.126.31.4, 40.126.31.137, 52.255.188.83, 184.30.20.56, 168.61.161.212 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Execution Graph export aborted for target y3t4g48gj6_PAYMENT.exe, PID 6644 because there are no executed function Execution Graph export aborted for target y3t4g48gj6_PAYMENT.exe, PID 7028 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:53:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5 C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
23:53:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 51h0d2Kf8543fo5 C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
23:53:56	API Interceptor	805x Sleep call for process: y3t4g48gj6_PAYMENT.exe modified
23:54:22	API Interceptor	12x Sleep call for process: svchost.exe modified
23:54:22	API Interceptor	147x Sleep call for process: powershell.exe modified
23:54:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.97.75	IPUt7Nr2CH.exe	Get hash	malicious	Browse
	q19CDiK5TD.exe	Get hash	malicious	Browse
	d9hGzIR8mh.exe	Get hash	malicious	Browse
	6554353_Payment_Invoice.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
omaprilcode.duckdns.org	IPUt7Nr2CH.exe	Get hash	malicious	Browse	194.5.97.75
omaprilcode.duckdns.org	q19CDiK5TD.exe	Get hash	malicious	Browse	194.5.97.75

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Quotation.jar	Get hash	malicious	Browse	194.5.98.38
	5lQuLT5Zu8.exe	Get hash	malicious	Browse	194.5.97.116
	IPUt7Nr2CH.exe	Get hash	malicious	Browse	194.5.97.75
	Passport_ID_jpg.jar	Get hash	malicious	Browse	194.5.98.228
	Vd80r7R7K5.exe	Get hash	malicious	Browse	194.5.98.208
	noVPhNP46G.exe	Get hash	malicious	Browse	194.5.98.208
	LQ0dDP64uk.exe	Get hash	malicious	Browse	194.5.98.208
	SCAN_DOCX-36673672.exe	Get hash	malicious	Browse	194.5.97.11
	4b092c1e_by_Libranalysis.docx	Get hash	malicious	Browse	194.5.98.208
	QW8lWJDpU8.exe	Get hash	malicious	Browse	194.5.98.5
	2a8f04dd_by_Libranalysis.docm	Get hash	malicious	Browse	194.5.98.210
	Invoice_orderYscFwfO1peuGl0w.exe	Get hash	malicious	Browse	194.5.98.250
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	Quotation.jar	Get hash	malicious	Browse	194.5.97.87
	EFT payment.exe	Get hash	malicious	Browse	194.5.97.215
	Contract_Documents_pdf.exe	Get hash	malicious	Browse	194.5.98.203
	BANK DETAILS.jar	Get hash	malicious	Browse	194.5.97.87
	q19CDiK5TD.exe	Get hash	malicious	Browse	194.5.97.75

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5976804353698416
Encrypted:	false
SSDEEP:	6:btKVEk1GaD0JOCEfMuaaD0JOCEfMKQmDI0Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bYVrGaD0JcaaD0JwQQI0Ag/0bjSQJ
MD5:	C6A4D3B3B4EB755F99F9FD5B25FE88A9
SHA1:	343110136653D96FE8DFE258E50328777006AEC3
SHA-256:	7EDE1D0C07AD67C98AC68AD2D25206BC2CEC26F98D27AA0870170EA08BD63772
SHA-512:	D3F257F5229B0CCCA6740166296057F2D5E0E290AFB5C9D716EA6419BC39024937992357A5552AB7A44810AE0764B2452176559542AFECE7BB66946A55FC7927
Malicious:	false
Preview:	....E..h..(.....46...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................46...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x80031985, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09616301549185044
Encrypted:	false
SSDEEP:	12:x0+Y1O4blqXOlRxKT0+Y1O4blqXOlRxK:q13lz13l
MD5:	E47EA999514BEC2CADE05C8F05257AE6
SHA1:	E685169FA7CF7F06FFF70FEE34C5A713E6CEBC1D
SHA-256:	7B6F583B5D70FE9AB6B695120C8DD5B615521F5F4FA5548F1D23E8595AF972C9
SHA-512:	D5E6ECD730C784F36EB3588103BBFAD79DDCBF821D5C9BA3355DD08547F92DA504B735BC6DDC0538E47C12F9F89E63038E7CB4A34A597A973D18E28F08B2982C
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w..46...yG.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................5.46...y.{.................5..46...yG.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11086134938174995
Encrypted:	false
SSDEEP:	3:6TEvRriIMuXl/bJdAtiLzvpcHYll:PJMAt4Ir
MD5:	D749BF4712C102699C1918F5266DFED0
SHA1:	6B0B812FA4903EF76603641A5A3CE3FEF5B2D9CF
SHA-256:	445AFA51E5E9610960E9B93176744416754E1CCF495F8A8C6FDE3FC6BD9971E6
SHA-512:	B708677FD5F6EC5B329394F52DEB276FAD880F669CE6E7A0A52E7D29DA7A83056E57BBF58E2CB62B2B285A4C7763723BA43952706AE75FD6B9F482145CB7AD22
Malicious:	false
Preview:	.m.=.....................................3...w..46...yG......w...............w.......w....:O.....w...................5..46...yG.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_y3t4g48gj6_PAYME_ce53192e427e57e166223ab89fc2d2b1ddc61e_5e276ace_16bcfe61\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	15294
Entropy (8bit):	3.7744507720065053
Encrypted:	false
SSDEEP:	192:O5sUrmHBUZMXyaKKIKZDnyK/u7sjS274Itjb:UlSBUZMXyatyK/u7sjX4Itjb
MD5:	04B18104DC74E8A05B23CD669E5ADA60
SHA1:	6D30AAF091493A505269958BEF5D5ADDFA51D2C4
SHA-256:	BFEDFC3EC6F63C97FDB465DF9E9A32173937B26402D20570B26DDCC2CE2626BE
SHA-512:	D26968FC016564A690E8B3A08D3F8EB1C6B77A69ED3C1889C699E937ED74214639D2C01293F24412AA7AFF9C60CAFCD05D153BE39F56101165D2DB81259FC18A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.7.6.0.4.2.5.1.9.0.1.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.2.7.6.0.8.7.7.2.1.9.0.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.e.7.a.7.b.7.-.8.f.2.0.-.4.0.9.5.-.8.3.3.f.-.3.1.f.a.0.a.e.7.e.d.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.a.2.9.b.4.f.-.f.f.1.c.-.4.0.4.7.-.8.1.9.3.-.4.1.f.7.c.a.8.f.d.a.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.3.t.4.g.4.8.g.j.6._.P.A.Y.M.E.N.T...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.a.l.u.e.i.n.f.i.n.i.t.e.V.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.7.-.a.a.4.e.-.3.a.7.e.f.b.4.6.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.6.e.f.1.2.5.e.5.0.7.7.7.c.1.9.0.1.6.8.b.0.9.3.3.d.c.1.b.0.4.1.0.0.0.0.0.0.0.0.!.0.0.0.0.e.3.8.1.0.d.2.1.6.0.0.b.b.0.1.1.3.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER40BE.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 12 06:54:23 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	306847
Entropy (8bit):	3.8248011042062893
Encrypted:	false
SSDEEP:	3072:h59gIOgF5Rso4g0aUCgUJVKMj7VTsNqktVfrRT0ZN/jd+pROH2SDbUDYsck38i:h59RpDm9g5TjJYYBTRkrh0kpl9
MD5:	EF1B3D04FE6E9278638343B90563E41C
SHA1:	6A92CA503B4FB5A6BE57A69A14852F75766A3EF2
SHA-256:	508A49F23892320A01D50D2347C5553EA81F0C6ED774973687EB9F8A1F9C15B8
SHA-512:	1F457EEB4557F2B2FB569FFA317817A8E595EC79100EEBC7F14A9A94F84256D3C141FDE25B360C177A41ADCFF97DB10B46D32D716AB2D49ABEA869AE312F4353
Malicious:	false
Preview:	MDMP....... ........{.`...................U...........B.......&......GenuineIntelW...........T.......t..._{.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EDD.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8438
Entropy (8bit):	3.7020515446608675
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNizN6M6YJVSU3w/jgmfZGSVCprn89bnasfONm:RrlsNiZ6M6YLSU3w/jgmf0S1n5fl
MD5:	D7FD4D77AE4CBE9D546552DCCBEB0454
SHA1:	72920FA887BB0257854AACFA05DEBD1E90F90BA4
SHA-256:	E38CA4B5A8F4BFDAC566326B67463984602897DBEEA95C865373BCA6E1111B4B
SHA-512:	22AD5E0D45975E285F3797E0F5ED689271C6694DB9D645B9B9D2BD95DB3E3A1AE44F2324BCBED75F5D7D02D08A6EE5DF2AC8BACFB229B1733133F1ECE721B86B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC2C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	4.518003231098789
Encrypted:	false
SSDEEP:	48:cvIwSD8zsgJgtWI9cyWSC8BS8fm8M4JGFFt+q8vNz9gmibkJBBed:uITfmzTSN9JsKR9gsJBBed
MD5:	053F5DA168F81FB7A4F346AF2F12F765
SHA1:	D36D39E9B5F04BFEDE1A777C32DE750380C8FC7A
SHA-256:	FD185CEB967D561D88554F13718D3299F4413B6A8D754636445BBCAEBC433423
SHA-512:	C35BA475867E2729386C054B880A34260EC653C57160C08D35E671D9F046EF1FDC0AC61453FA718C6B4691AE9043641C96B6C8B2774A1419EE72402FFD1AF1BE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="985925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC68.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	56240
Entropy (8bit):	3.053476393071879
Encrypted:	false
SSDEEP:	1536:XVHD3jxKN5MjZcr046S5Aevd5bUOtI+szgq1v62:XVHD3jxKN5MjZcr046S5Aevd5bU6I+sh
MD5:	5678794ED4AFADA5549ABF616FFE781A
SHA1:	F597D79405CCF2838712E49E9ED0F47296A0D8A6
SHA-256:	20A9F3450026F33C6A14425DA64E813BE81FC675D576693645B80553F9CC377A
SHA-512:	5042ACEEF8FBDCB657E6F008AE4C44811942DEDCBCC63679875E84C9CBDCADD0F55734823DEB9E3C60AD170DD8588FBF465A95EF110F00E0B36F7E6185DB1E73
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB87F.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6969687742225354
Encrypted:	false
SSDEEP:	96:9GiZYWkJ4L1OaYFYwWpeHQYEZw2jt5iEzqYs17waqFaUvh0UdzI0v3:9jZDkCSF2Kr+aUvh0UO0v3
MD5:	BB8BBCD080A887F5B9E44281B318DB46
SHA1:	69AA6E5063EF1E3B86021EC996729AE3B2376C6F
SHA-256:	CF1FC5B4C3D7454352FD316293D1160565639466A3650A68CB49F058BF3016B2
SHA-512:	C0968E7C6D6ED008858112D28730B6605BCFB095D024E19D481EA904D7512348276DE727D4A1EED3B5619D786E5FE8D932CF2983E0A4E53952955B10E2251B94
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elauq3ki.ml0.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncewgnw3.qax.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w14rpytb.25y.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y12pedfd.ixi.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw1y3y53.hqg.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zah0ezrw.ehs.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Ej:Ej
MD5:	5B39604C071FE95CDDD4F140631DDBCE
SHA1:	A2DA2E4C41AAC375127C23BB5E1083C95AEE156F
SHA-256:	E369706507154D1A34DC1D0A38E6AC34893B774936299A86EAA3EC708DE156F6
SHA-512:	934910C1F63D039492899A562F49C140DD1CCA7852FB049C6AC79E3EB1B039CB680110AEB91CE1ED051DFD69C6BC43460D5F3D1E7D88A354FE8FE7C9AE6DD0C4
Malicious:	true
Preview:	(.R....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\Documents\20210511\PowerShell_transcript.878411.68FOB_yb.20210511235334.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5217
Entropy (8bit):	5.417695523418659
Encrypted:	false
SSDEEP:	96:BZJTLLNQ1qDo1Z72ZTTLLNQ1qDo1Zp8D+DEDjZGTLLNQ1qDo1ZgvD0D9:n
MD5:	CFB4E49471003BAA780AACF9AC7FFD87
SHA1:	D8B217E2716AF6E9661D7FFA87DB3EE0BD475549
SHA-256:	8963C4AAE1D6854EF7D7B0D1E71529A44B2514E8AF40BC1919B1EEE3C93FA04C
SHA-512:	482B86E1AD26B7198A4BFCADCACCF9301D0F6258C982AC304441BCAFE07FE6BF0F736787E44920143A6C941A11F19FECD68C0C6F54D45F8D8F3B32652A84C1B8
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210511235359..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..Process ID: 4668..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210511235400..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210512000222..Username: computer

C:\Users\user\Documents\20210511\PowerShell_transcript.878411.E9GVYDVQ.20210511235337.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.33741245385722
Encrypted:	false
SSDEEP:	48:BZMwvTLLoO+SWsXqDYB1Z6cW2ZYhvTLLoO+SWsXqDYB1ZA:BZMITLLNQyqDo1Z6J2ZATLLNQyqDo1ZA
MD5:	24B7153068B74F63D00506BD762CF0AF
SHA1:	F695E04DD31E7CCF7566E3F433A74E151E79AE32
SHA-256:	1BC99D330DB74DC6B97DC17D234CE3B318168E992DDC1096B597491B2D5C7D29
SHA-512:	AF36DF4F7BDF35A6C3F1CBF0F0E9472952A459C536B29EF1C14536E1213D5525641E56A5B9DD49EA1CF8F99B46970686DCE656494637AB7E797CCDD2BB8B8CAF
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210511235410..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..Process ID: 1912..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210511235412..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210511235525..Username: computer

C:\Users\user\Documents\20210511\PowerShell_transcript.878411.ZQ4X65kJ.20210511235337.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4309
Entropy (8bit):	5.442531877682068
Encrypted:	false
SSDEEP:	96:BZ5NTLLN+qDo1ZJZPTLLN+qDo1Zlc+0jZzTLLN+qDo1ZVe:lU
MD5:	8A5EA0648FDE1D231A3B3F62DFF232E0
SHA1:	09463333CC5CEA72630A6F59E4128B60822C2D53
SHA-256:	41D5A08E8E4022B1319554A9B6DB233E0FBBB187F7BB87C74D3DC69CC68421DF
SHA-512:	9F88C010951C5D619A97F310094086CC1252B2B2C39B87254ECCA40730BE208CAD81A73743055119F7EDA31FE2111CD07D9F201993DFD11415E50AD962089EB2
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210511235403..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe -Force..Process ID: 4896..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210511235404..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210512000244..Username: computer\user..Run

C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3867176
Entropy (8bit):	2.590642055759663
Encrypted:	false
SSDEEP:	24576:Bg2krlcNk1WgwmNHtf+Gqwqf/JOy0h1qMEIGCjx9h3CIf9rMRrdA7w1cYAnXs6M7:Bh
MD5:	9998F7E0C708BA1FA4B56235A9811C0F
SHA1:	E3810D21600BB0113B2D7116347326BEB6A35D83
SHA-256:	9F44F33F1B0B724292959B65AE6F2918CB1993641AD7832FFDBD68FC00FDDA2C
SHA-512:	69A0FEA89ADC2F259624E6ABA5CF20194A904E8656444DF6894785775F57DAEC33AB08903D5147152482D7CFAAFF91C30FA51965FE472EB1E91DF42B709432F2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 15%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%Y............"...0...:...........;.. ... ;...@.. .......................`;.....5S;...@...................................;.O.... ;...............:.(....@;...................................................... ............... ..H............text...4.:.. ....:................. ..`.rsrc........ ;.......:.............@..@.reloc.......@;.......:.............@..B..................;.....H.......`$..\|.:..........#...............................................&.(......".......".(.....Vs....(....t.........6.rK..p(.....".(......s...........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+....0...........~.....+....0............(.....+.+.........0..9.............r.:p+........(....(......(.......(......................%.. .o.........+L..........r..:p(........,.+*..o...........,.+...(.......~......o.........X..

C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.590642055759663
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	y3t4g48gj6_PAYMENT.exe
File size:	3867176
MD5:	9998f7e0c708ba1fa4b56235a9811c0f
SHA1:	e3810d21600bb0113b2d7116347326beb6a35d83
SHA256:	9f44f33f1b0b724292959b65ae6f2918cb1993641ad7832ffdbd68fc00fdda2c
SHA512:	69a0fea89adc2f259624e6aba5cf20194a904e8656444df6894785775f57daec33ab08903d5147152482d7cfaaff91c30fa51965fe472eb1e91df42b709432f2
SSDEEP:	24576:Bg2krlcNk1WgwmNHtf+Gqwqf/JOy0h1qMEIGCjx9h3CIf9rMRrdA7w1cYAnXs6M7:Bh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%Y............"...0...:...........;.. ... ;...@.. .......................`;.....5S;...@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x7b032e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xD9F65925 [Sat Nov 17 01:55:49 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=by64bc71k4HZ0Yw5C4bba6cc73Yfz0a, S=H9a5205c91ku3, L=5Jp25b35, T=NweE2NdNRd1J7Jb5wDdffe141z527c2ci41dgw3, E=4rhdU4t04, OU=484d0C6323bzd4c97q3, O=bR673KfoLs612894halpX4a4d0qGA2d583, CN=44Ql7muB5F53555J17d1o
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/11/2021 7:54:44 AM 5/11/2022 7:54:44 AM
Subject Chain	C=by64bc71k4HZ0Yw5C4bba6cc73Yfz0a, S=H9a5205c91ku3, L=5Jp25b35, T=NweE2NdNRd1J7Jb5wDdffe141z527c2ci41dgw3, E=4rhdU4t04, OU=484d0C6323bzd4c97q3, O=bR673KfoLs612894halpX4a4d0qGA2d583, CN=44Ql7muB5F53555J17d1o
Version:	3
Thumbprint MD5:	987431C54CFEF315C111B5AB521BCAC1
Thumbprint SHA-1:	DD65EBFE2F0AF6EC396DC73C4A037E87E321A06B
Thumbprint SHA-256:	93C6C15FCE022D65F38E693A5BADB285F2BE5AC5EC2BFC2707FBF16E192C6E96
Serial:	00BEABD3255E63776CE32FBB6B780B4783

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b02dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b2000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3aee00	0x1428	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3ae334	0x3ae400	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3b2000	0x5d8	0x600	False	0.421223958333	data	4.14589146106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b4000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3b20a0	0x34c	data
RT_MANIFEST	0x3b23ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	valueinfiniteVM.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	valueinfiniteVM
ProductVersion	1.0.0.0
FileDescription	valueinfiniteVM
OriginalFilename	valueinfiniteVM.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 23:54:01.991233110 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.134605885 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.135693073 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.315650940 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.478807926 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.480408907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.671775103 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.672080994 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.816175938 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:02.863444090 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:02.887123108 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.079195976 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126389980 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126424074 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126483917 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126511097 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.126547098 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.126751900 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.269855022 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.269893885 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.269922018 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270036936 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270086050 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.270333052 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270370007 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.270394087 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270730972 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.270766020 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.270853996 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.271909952 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.411948919 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.413635969 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.413660049 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.413749933 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.413784027 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.413881063 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414004087 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414113998 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414186954 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414292097 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414758921 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414782047 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.414894104 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.414992094 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415210009 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415313005 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415316105 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.415663004 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415685892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415707111 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.415882111 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.415919065 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416126013 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.416162968 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416321039 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.416354895 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416470051 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.416507959 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.416852951 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.559678078 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.559794903 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.559885979 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.560215950 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560280085 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560347080 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.560524940 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560698032 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.560772896 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.560782909 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561068058 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561141014 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.561413050 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561588049 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561609030 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561693907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.561811924 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.561887026 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562055111 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562211037 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562280893 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562416077 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562525988 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562608957 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562710047 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562809944 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.562887907 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.562964916 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563091993 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563165903 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.563282967 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563446045 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563523054 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.563656092 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.563893080 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564035892 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564192057 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564239979 CEST	49735	8090	192.168.2.6	194.5.97.75
May 11, 2021 23:54:03.564415932 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564444065 CEST	8090	49735	194.5.97.75	192.168.2.6
May 11, 2021 23:54:03.564467907 CEST	49735	8090	192.168.2.6	194.5.97.75

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 23:53:12.693845987 CEST	53	64267	8.8.8.8	192.168.2.6
May 11, 2021 23:53:13.288600922 CEST	49448	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:13.337548971 CEST	53	49448	8.8.8.8	192.168.2.6
May 11, 2021 23:53:13.768048048 CEST	60342	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:13.826888084 CEST	53	60342	8.8.8.8	192.168.2.6
May 11, 2021 23:53:14.419569016 CEST	61346	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:14.468420982 CEST	53	61346	8.8.8.8	192.168.2.6
May 11, 2021 23:53:15.593247890 CEST	51774	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:15.641983986 CEST	53	51774	8.8.8.8	192.168.2.6
May 11, 2021 23:53:16.709300995 CEST	56023	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:16.760977030 CEST	53	56023	8.8.8.8	192.168.2.6
May 11, 2021 23:53:18.120974064 CEST	58384	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:18.178188086 CEST	53	58384	8.8.8.8	192.168.2.6
May 11, 2021 23:53:19.353452921 CEST	60261	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:19.410451889 CEST	53	60261	8.8.8.8	192.168.2.6
May 11, 2021 23:53:20.766933918 CEST	56061	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:20.821878910 CEST	53	56061	8.8.8.8	192.168.2.6
May 11, 2021 23:53:22.508728981 CEST	58336	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:22.566011906 CEST	53	58336	8.8.8.8	192.168.2.6
May 11, 2021 23:53:23.694828987 CEST	53781	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:23.744986057 CEST	53	53781	8.8.8.8	192.168.2.6
May 11, 2021 23:53:25.092776060 CEST	54064	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:25.144562006 CEST	53	54064	8.8.8.8	192.168.2.6
May 11, 2021 23:53:26.295615911 CEST	52811	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:26.344513893 CEST	53	52811	8.8.8.8	192.168.2.6
May 11, 2021 23:53:27.467045069 CEST	55299	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:27.524247885 CEST	53	55299	8.8.8.8	192.168.2.6
May 11, 2021 23:53:28.619930983 CEST	63745	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:28.668901920 CEST	53	63745	8.8.8.8	192.168.2.6
May 11, 2021 23:53:29.828959942 CEST	50055	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:29.880475044 CEST	53	50055	8.8.8.8	192.168.2.6
May 11, 2021 23:53:30.955908060 CEST	61374	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:31.015707016 CEST	53	61374	8.8.8.8	192.168.2.6
May 11, 2021 23:53:32.130070925 CEST	50339	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:32.190007925 CEST	53	50339	8.8.8.8	192.168.2.6
May 11, 2021 23:53:35.031847954 CEST	63307	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:35.083312035 CEST	53	63307	8.8.8.8	192.168.2.6
May 11, 2021 23:53:38.200325966 CEST	49694	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:38.248883963 CEST	53	49694	8.8.8.8	192.168.2.6
May 11, 2021 23:53:47.785288095 CEST	54982	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:47.842583895 CEST	53	54982	8.8.8.8	192.168.2.6
May 11, 2021 23:53:52.343401909 CEST	50010	53	192.168.2.6	8.8.8.8
May 11, 2021 23:53:52.402043104 CEST	53	50010	8.8.8.8	192.168.2.6
May 11, 2021 23:54:01.630276918 CEST	63718	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:01.852056026 CEST	53	63718	8.8.8.8	192.168.2.6
May 11, 2021 23:54:08.121082067 CEST	62116	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:08.183593035 CEST	53	62116	8.8.8.8	192.168.2.6
May 11, 2021 23:54:09.129223108 CEST	63816	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:09.188091040 CEST	53	63816	8.8.8.8	192.168.2.6
May 11, 2021 23:54:15.967436075 CEST	55014	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:16.193136930 CEST	53	55014	8.8.8.8	192.168.2.6
May 11, 2021 23:54:20.714508057 CEST	62208	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:20.841531992 CEST	53	62208	8.8.8.8	192.168.2.6
May 11, 2021 23:54:21.201359987 CEST	57574	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:21.258441925 CEST	53	57574	8.8.8.8	192.168.2.6
May 11, 2021 23:54:22.554590940 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:22.611522913 CEST	53	51818	8.8.8.8	192.168.2.6
May 11, 2021 23:54:23.394865990 CEST	56628	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:23.454391003 CEST	53	56628	8.8.8.8	192.168.2.6
May 11, 2021 23:54:24.354697943 CEST	60778	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:24.413964987 CEST	53	60778	8.8.8.8	192.168.2.6
May 11, 2021 23:54:26.336348057 CEST	53799	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:26.441319942 CEST	53	53799	8.8.8.8	192.168.2.6
May 11, 2021 23:54:27.199091911 CEST	54683	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:27.257597923 CEST	53	54683	8.8.8.8	192.168.2.6
May 11, 2021 23:54:27.711756945 CEST	59329	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:27.769222021 CEST	53	59329	8.8.8.8	192.168.2.6
May 11, 2021 23:54:31.061930895 CEST	64021	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:31.122121096 CEST	53	64021	8.8.8.8	192.168.2.6
May 11, 2021 23:54:33.969976902 CEST	56129	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:34.032226086 CEST	53	56129	8.8.8.8	192.168.2.6
May 11, 2021 23:54:38.607516050 CEST	58177	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:38.667622089 CEST	53	58177	8.8.8.8	192.168.2.6
May 11, 2021 23:54:40.595410109 CEST	50700	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:40.644227028 CEST	53	50700	8.8.8.8	192.168.2.6
May 11, 2021 23:54:42.386462927 CEST	54069	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:42.443860054 CEST	53	54069	8.8.8.8	192.168.2.6
May 11, 2021 23:54:49.005872965 CEST	61178	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:49.086483955 CEST	53	61178	8.8.8.8	192.168.2.6
May 11, 2021 23:54:50.037343979 CEST	57017	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:50.087301970 CEST	53	57017	8.8.8.8	192.168.2.6
May 11, 2021 23:54:53.723217964 CEST	56327	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:53.783620119 CEST	53	56327	8.8.8.8	192.168.2.6
May 11, 2021 23:54:54.585988998 CEST	50243	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:54.654728889 CEST	53	50243	8.8.8.8	192.168.2.6
May 11, 2021 23:54:55.628778934 CEST	62055	53	192.168.2.6	8.8.8.8
May 11, 2021 23:54:55.687485933 CEST	53	62055	8.8.8.8	192.168.2.6
May 11, 2021 23:55:48.602257967 CEST	61249	53	192.168.2.6	8.8.8.8
May 11, 2021 23:55:48.659320116 CEST	53	61249	8.8.8.8	192.168.2.6
May 11, 2021 23:55:48.808475018 CEST	65252	53	192.168.2.6	8.8.8.8
May 11, 2021 23:55:48.865681887 CEST	53	65252	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2021 23:54:01.630276918 CEST	192.168.2.6	8.8.8.8	0xc28b	Standard query (0)	omaprilcode.duckdns.org	A (IP address)	IN (0x0001)
May 11, 2021 23:54:15.967436075 CEST	192.168.2.6	8.8.8.8	0x2bd2	Standard query (0)	omaprilcode.duckdns.org	A (IP address)	IN (0x0001)
May 11, 2021 23:54:23.394865990 CEST	192.168.2.6	8.8.8.8	0x3fa7	Standard query (0)	omaprilcode.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 11, 2021 23:54:01.852056026 CEST	8.8.8.8	192.168.2.6	0xc28b	No error (0)	omaprilcode.duckdns.org		194.5.97.75	A (IP address)	IN (0x0001)
May 11, 2021 23:54:16.193136930 CEST	8.8.8.8	192.168.2.6	0x2bd2	No error (0)	omaprilcode.duckdns.org		194.5.97.75	A (IP address)	IN (0x0001)
May 11, 2021 23:54:23.454391003 CEST	8.8.8.8	192.168.2.6	0x3fa7	No error (0)	omaprilcode.duckdns.org		194.5.97.75	A (IP address)	IN (0x0001)
May 11, 2021 23:54:49.086483955 CEST	8.8.8.8	192.168.2.6	0x7418	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 7028 Parent PID: 5908

General

Start time:	23:53:20
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe'
Imagebase:	0xfc0000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.600696980.00000000046E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: svchost.exe PID: 7128 Parent PID: 560

General

Start time:	23:53:23
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 4668 Parent PID: 7028

General

Start time:	23:53:31
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 4104 Parent PID: 4668

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 4896 Parent PID: 7028

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 4524 Parent PID: 4896

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 1912 Parent PID: 7028

General

Start time:	23:53:32
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6408 Parent PID: 1912

General

Start time:	23:53:33
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6336 Parent PID: 7028

General

Start time:	23:53:38
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6356 Parent PID: 6336

General

Start time:	23:53:38
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 4752 Parent PID: 6336

General

Start time:	23:53:38
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xa90000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 6644 Parent PID: 7028

General

Start time:	23:53:44
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Imagebase:	0x240000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: y3t4g48gj6_PAYMENT.exe PID: 6868 Parent PID: 7028

General

Start time:	23:53:47
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\y3t4g48gj6_PAYMENT.exe
Imagebase:	0xa50000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: svchost.exe PID: 7088 Parent PID: 560

General

Start time:	23:53:48
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6824 Parent PID: 3440

General

Start time:	23:53:49
Start date:	11/05/2021
Path:	C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Imagebase:	0x70000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 15%, ReversingLabs
Reputation:	low

Analysis Process: svchost.exe PID: 4696 Parent PID: 560

General

Start time:	23:53:52
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 6396 Parent PID: 4696

General

Start time:	23:53:52
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7028 -ip 7028
Imagebase:	0x1360000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5760 Parent PID: 7028

General

Start time:	23:53:55
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1780
Imagebase:	0x1360000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: svchost.exe PID: 5980 Parent PID: 3440

General

Start time:	23:53:58
Start date:	11/05/2021
Path:	C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\agcQ435Jh2M0514\svchost.exe'
Imagebase:	0xc10000
File size:	3867176 bytes
MD5 hash:	9998F7E0C708BA1FA4B56235A9811C0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: svchost.exe PID: 6160 Parent PID: 560

General

Start time:	23:54:03
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5280 Parent PID: 560

General

Start time:	23:54:18
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2032 Parent PID: 560

General

Start time:	23:54:51
Start date:	11/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report y3t4g48gj6_PAYMENT.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos