Loading ...

Play interactive tourEdit tour

Analysis Report Ze8ZhOer4V

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:187597
Start date:05.11.2019
Start time:17:28:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Ze8ZhOer4V (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.troj.evad.winEXE@299/34@254/13
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 90.2% (good quality ratio 89.9%)
  • Quality average: 85.7%
  • Quality standard deviation: 19.3%
HCA Information:
  • Successful, ratio: 54%
  • Number of executed functions: 38
  • Number of non-executed functions: 3
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, VSSVC.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): 224.2.168.192.in-addr.arpa, 164.2.168.192.in-addr.arpa, 155.2.168.192.in-addr.arpa, 53.2.168.192.in-addr.arpa, 215.2.168.192.in-addr.arpa, 35.2.168.192.in-addr.arpa, 189.2.168.192.in-addr.arpa, 9.2.168.192.in-addr.arpa, 233.2.168.192.in-addr.arpa, 105.2.168.192.in-addr.arpa, 62.2.168.192.in-addr.arpa, 249.2.168.192.in-addr.arpa, 26.2.168.192.in-addr.arpa, 2.2.168.192.in-addr.arpa, 139.2.168.192.in-addr.arpa, 180.2.168.192.in-addr.arpa, 19.2.168.192.in-addr.arpa, 112.2.168.192.in-addr.arpa, 130.2.168.192.in-addr.arpa, 80.2.168.192.in-addr.arpa, 96.2.168.192.in-addr.arpa, 208.2.168.192.in-addr.arpa, 146.2.168.192.in-addr.arpa, 173.2.168.192.in-addr.arpa, 69.2.168.192.in-addr.arpa, 196.2.168.192.in-addr.arpa, 242.2.168.192.in-addr.arpa, 123.2.168.192.in-addr.arpa, 162.2.168.192.in-addr.arpa, 141.2.168.192.in-addr.arpa, 201.2.168.192.in-addr.arpa, 187.2.168.192.in-addr.arpa, 238.2.168.192.in-addr.arpa, 55.2.168.192.in-addr.arpa, 60.2.168.192.in-addr.arpa, 153.2.168.192.in-addr.arpa, 191.2.168.192.in-addr.arpa, 28.2.168.192.in-addr.arpa, 226.2.168.192.in-addr.arpa, 103.2.168.192.in-addr.arpa, 247.2.168.192.in-addr.arpa, 4.2.168.192.in-addr.arpa, 137.2.168.192.in-addr.arpa, 10.2.168.192.in-addr.arpa, 114.2.168.192.in-addr.arpa, 251.2.168.192.in-addr.arpa, 17.2.168.192.in-addr.arpa, 33.2.168.192.in-addr.arpa, 78.2.168.192.in-addr.arpa, 94.2.168.192.in-addr.arpa, 71.2.168.192.in-addr.arpa, 213.2.168.192.in-addr.arpa, 21.2.168.192.in-addr.arpa, 148.2.168.192.in-addr.arpa, 175.2.168.192.in-addr.arpa, 125.2.168.192.in-addr.arpa, 240.2.168.192.in-addr.arpa, 44.2.168.192.in-addr.arpa, 67.2.168.192.in-addr.arpa, 82.2.168.192.in-addr.arpa, 198.2.168.192.in-addr.arpa, 219.2.168.192.in-addr.arpa, 91.2.168.192.in-addr.arpa, 159.2.168.192.in-addr.arpa, 32.2.168.192.in-addr.arpa, 236.2.168.192.in-addr.arpa, 185.2.168.192.in-addr.arpa, 74.2.168.192.in-addr.arpa, 39.2.168.192.in-addr.arpa, 254.2.168.192.in-addr.arpa, 168.2.168.192.in-addr.arpa, 212.2.168.192.in-addr.arpa, 83.2.168.192.in-addr.arpa, 89.2.168.192.in-addr.arpa, 109.2.168.192.in-addr.arpa, 41.2.168.192.in-addr.arpa, 228.2.168.192.in-addr.arpa, 245.2.168.192.in-addr.arpa, 100.2.168.192.in-addr.arpa, 50.2.168.192.in-addr.arpa, 116.2.168.192.in-addr.arpa, 142.2.168.192.in-addr.arpa, 177.2.168.192.in-addr.arpa, 204.2.168.192.in-addr.arpa, 161.2.168.192.in-addr.arpa, 230.2.168.192.in-addr.arpa, 135.2.168.192.in-addr.arpa, 57.2.168.192.in-addr.arpa, 127.2.168.192.in-addr.arpa, 15.2.168.192.in-addr.arpa, 192.2.168.192.in-addr.arpa, 150.2.168.192.in-addr.arpa, 6.2.168.192.in-addr.arpa, 46.2.168.192.in-addr.arpa, 65.2.168.192.in-addr.arpa, 183.2.168.192.in-addr.arpa, 243.2.168.192.in-addr.arpa, 30.2.168.192.in-addr.arpa, 157.2.168.192.in-addr.arpa, 217.2.168.192.in-addr.arpa, 37.2.168.192.in-addr.arpa, 111.2.168.192.in-addr.arpa, 76.2.168.192.in-addr.arpa, 107.2.168.192.in-addr.arpa, 166.2.168.192.in-addr.arpa, 170.2.168.192.in-addr.arpa, 210.2.168.192.in-addr.arpa, 85.2.168.192.in-addr.arpa, 120.2.168.192.in-addr.arpa, 24.2.168.192.in-addr.arpa, 87.2.168.192.in-addr.arpa, 118.2.168.192.in-addr.arpa, 179.2.168.192.in-addr.arpa, 221.2.168.192.in-addr.arpa, 52.2.168.192.in-addr.arpa, 59.2.168.192.in-addr.arpa, 133.2.168.192.in-addr.arpa, 194.2.168.192.in-addr.arpa, 232.2.168.192.in-addr.arpa, 13.2.168.192.in-addr.arpa, 98.2.168.192.in-addr.arpa, 129.2.168.192.in-addr.arpa, 144.2.168.192.in-addr.arpa, 206.2.168.192.in-addr.arpa, 8.2.168.192.in-addr.arpa, 48.2.168.192.in-addr.arpa, 63.2.168.192.in-addr.arpa, 70.2.168.192.in-addr.arpa, 86.2.168.192.in-addr.arpa, 181.2.168.192.in-addr.arpa, 138.2.168.192.in-addr.arpa, 1.2.168.192.in-addr.arpa, 11.2.168.192.in-addr.arpa, 250.2.168.192.in-addr.arpa, 18.2.168.192.in-addr.arpa, 113.2.168.192.in-addr.arpa, 20.2.168.192.in-addr.arpa, 95.2.168.192.in-addr.arpa, 207.2.168.192.in-addr.arpa, 147.2.168.192.in-addr.arpa, 172.2.168.192.in-addr.arpa, 68.2.168.192.in-addr.arpa, 241.2.168.192.in-addr.arpa, 122.2.168.192.in-addr.arpa, 197.2.168.192.in-addr.arpa, 223.2.168.192.in-addr.arpa, 45.2.168.192.in-addr.arpa, 200.2.168.192.in-addr.arpa, 165.2.168.192.in-addr.arpa, 216.2.168.192.in-addr.arpa, 54.2.168.192.in-addr.arpa, 239.2.168.192.in-addr.arpa, 131.2.168.192.in-addr.arpa, 77.2.168.192.in-addr.arpa, 188.2.168.192.in-addr.arpa, 234.2.168.192.in-addr.arpa, 34.2.168.192.in-addr.arpa, 154.2.168.192.in-addr.arpa, 27.2.168.192.in-addr.arpa, 61.2.168.192.in-addr.arpa, 104.2.168.192.in-addr.arpa, 199.2.168.192.in-addr.arpa, 3.2.168.192.in-addr.arpa, 136.2.168.192.in-addr.arpa, 79.2.168.192.in-addr.arpa, 93.2.168.192.in-addr.arpa, 115.2.168.192.in-addr.arpa, 252.2.168.192.in-addr.arpa, 72.2.168.192.in-addr.arpa, 209.2.168.192.in-addr.arpa, 16.2.168.192.in-addr.arpa, 174.2.168.192.in-addr.arpa, 214.2.168.192.in-addr.arpa, 149.2.168.192.in-addr.arpa, 124.2.168.192.in-addr.arpa, 22.2.168.192.in-addr.arpa, 43.2.168.192.in-addr.arpa, 81.2.168.192.in-addr.arpa, 163.2.168.192.in-addr.arpa, 202.2.168.192.in-addr.arpa, 237.2.168.192.in-addr.arpa, 186.2.168.192.in-addr.arpa, 152.2.168.192.in-addr.arpa, 190.2.168.192.in-addr.arpa, 225.2.168.192.in-addr.arpa, 102.2.168.192.in-addr.arpa, 140.2.168.192.in-addr.arpa, 29.2.168.192.in-addr.arpa, 248.2.168.192.in-addr.arpa, 117.2.168.192.in-addr.arpa, 23.2.168.192.in-addr.arpa, 143.2.168.192.in-addr.arpa, 160.2.168.192.in-addr.arpa, 203.2.168.192.in-addr.arpa, 134.2.168.192.in-addr.arpa, 110.2.168.192.in-addr.arpa, 56.2.168.192.in-addr.arpa, 14.2.168.192.in-addr.arpa, 151.2.168.192.in-addr.arpa, 126.2.168.192.in-addr.arpa, 193.2.168.192.in-addr.arpa, 99.2.168.192.in-addr.arpa, 220.2.168.192.in-addr.arpa, 176.2.168.192.in-addr.arpa, 47.2.168.192.in-addr.arpa, 101.2.168.192.in-addr.arpa, 66.2.168.192.in-addr.arpa, 158.2.168.192.in-addr.arpa, 184.2.168.192.in-addr.arpa, 38.2.168.192.in-addr.arpa, 73.2.168.192.in-addr.arpa, 31.2.168.192.in-addr.arpa, 92.2.168.192.in-addr.arpa, 235.2.168.192.in-addr.arpa, 253.2.168.192.in-addr.arpa, 169.2.168.192.in-addr.arpa, 211.2.168.192.in-addr.arpa, 42.2.168.192.in-addr.arpa, 84.2.168.192.in-addr.arpa, 227.2.168.192.in-addr.arpa, 108.2.168.192.in-addr.arpa, 246.2.168.192.in-addr.arpa, 25.2.168.192.in-addr.arpa, 178.2.168.192.in-addr.arpa, 88.2.168.192.in-addr.arpa, 222.2.168.192.in-addr.arpa, 205.2.168.192.in-addr.arpa, 119.2.168.192.in-addr.arpa, 231.2.168.192.in-addr.arpa, 51.2.168.192.in-addr.arpa, 58.2.168.192.in-addr.arpa, 255.2.168.192.in-addr.arpa, 97.2.168.192.in-addr.arpa, 128.2.168.192.in-addr.arpa, 132.2.168.192.in-addr.arpa, 12.2.168.192.in-addr.arpa, 145.2.168.192.in-addr.arpa, 195.2.168.192.in-addr.arpa, 7.2.168.192.in-addr.arpa, 49.2.168.192.in-addr.arpa, 64.2.168.192.in-addr.arpa, 121.2.168.192.in-addr.arpa, 90.2.168.192.in-addr.arpa, 182.2.168.192.in-addr.arpa, 244.2.168.192.in-addr.arpa, 218.2.168.192.in-addr.arpa, 156.2.168.192.in-addr.arpa, 36.2.168.192.in-addr.arpa, 75.2.168.192.in-addr.arpa, 106.2.168.192.in-addr.arpa, 229.2.168.192.in-addr.arpa, 40.2.168.192.in-addr.arpa, 167.2.168.192.in-addr.arpa, 171.2.168.192.in-addr.arpa
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsService Execution2File System Permissions Weakness1File System Permissions Weakness1Masquerading3Input Capture21Query Registry1Taint Shared Content1Input Capture21Data Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionModify Existing Service21Process Injection1Software Packing2Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationNew Service12New Service12Process Injection1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingNTFS File Attributes1Credentials in FilesSystem Network Configuration Discovery2Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion21Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\OBUQVT~1Joe Sandbox ML: detected
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GALB8BJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: Ze8ZhOer4V.exeJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binVirustotal: Detection: 55%Perma Link
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binVirustotal: Detection: 55%Perma Link
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeVirustotal: Detection: 55%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Ze8ZhOer4V.exeVirustotal: Detection: 55%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040C4E3 CryptDecodeObject,CryptImportPublicKeyInfo,0_2_0040C4E3

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binSystem file written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to behavior
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\AdobeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroAppJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\EslJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReaderJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENUJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DCJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040EA3C FindFirstFileExW,0_2_0040EA3C

Networking:

barindex
Performs many domain queries via nslookupShow sources
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Found strings which match to known social media urlsShow sources
Source: PresentationFontCache.exe, 0000000B.00000003.2168659188.00000000049C0000.00000004.00000001.sdmpString found in binary or memory: Don't show againSave a Blank Copy of this FormData typed into this form will not be saved. Adobe Acrobat Reader can only save a blank copy of this form.Save a Blank CopyPlease print your completed form if you would like a copy for your records.CancelOKContinueIgnoreStopEmail a Blank Copy of this FormThe email method you just chose will email a blank copy of this form. The blank copy will not contain any data you may have typed into this form.Email a Blank CopyThis form contains an email submit button, located on the form. Clicking this email submit button will email a data file containing data you type into this form.blankcopySelect Email ClientPlease indicate the option which best describes how you send mail.&Desktop Email ApplicationChoose this option if you currently use an email application such as Microsoft Outlook, Eudora, or Mail.&Internet EmailChoose this option if you currently use an Internet email service such as Yahoo or Microsoft Hotmail.You will then need to save your form and return it manually
Source: PresentationFontCache.exe, 0000000B.00000003.2168659188.00000000049C0000.00000004.00000001.sdmpString found in binary or memory: Don't show againSave a Blank Copy of this FormData typed into this form will not be saved. Adobe Acrobat Reader can only save a blank copy of this form.Save a Blank CopyPlease print your completed form if you would like a copy for your records.CancelOKContinueIgnoreStopEmail a Blank Copy of this FormThe email method you just chose will email a blank copy of this form. The blank copy will not contain any data you may have typed into this form.Email a Blank CopyThis form contains an email submit button, located on the form. Clicking this email submit button will email a data file containing data you type into this form.blankcopySelect Email ClientPlease indicate the option which best describes how you send mail.&Desktop Email ApplicationChoose this option if you currently use an email application such as Microsoft Outlook, Eudora, or Mail.&Internet EmailChoose this option if you currently use an Internet email service such as Yahoo or Microsoft Hotmail.You will then need to save your form and return it manually
Source: PresentationFontCache.exe, 0000000B.00000003.2149497879.0000000003581000.00000004.00000001.sdmpString found in binary or memory: Facebook.urlWBX equals www.facebook.com (Facebook)
Source: PresentationFontCache.exe, 0000000B.00000003.2149497879.0000000003581000.00000004.00000001.sdmpString found in binary or memory: Twitter.url`C equals www.twitter.com (Twitter)
Source: PresentationFontCache.exe, 0000000B.00000003.2149497879.0000000003581000.00000004.00000001.sdmpString found in binary or memory: Youtube.url equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 8.8.8.8.in-addr.arpa

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: OBUQVT~1:bin, 0000000C.00000002.1977375435.00000000027FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: PresentationFontCache.exe, 0000000B.00000002.2178931595.0000000003924000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au32FZ/2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: vssadmin.exe, 00000003.00000002.1753559035.0000020DE0540000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000003.00000002.1753559035.0000020DE0540000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000003.00000002.1753934423.0000020DE0825000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exeDeleteShadows/All/Quiet
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 189
Source: conhost.exeProcess created: 46
Source: nslookup.exeProcess created: 47

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1746321572.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.Ze8ZhOer4V.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.Ze8ZhOer4V.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040D21E NtClose,0_2_0040D21E
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_004026CB CreateProcessW,NtClose,0_2_004026CB
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040D3BF NtClose,0_2_0040D3BF
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4772:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2560:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_01
Source: C:\Users\user\AppData\Roaming\GALB8B:binMutant created: \Sessions\1\BaseNamedObjects\Global\{4776E382-B4C5-66CE-33E1-C15BCF56522E}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:960:120:WilError_01
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binMutant created: \Sessions\1\BaseNamedObjects\{{35778CD-D-D8-93-8-2F9--728B-B673868}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_01
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binFile deleted: C:\Windows\Temp\shk63EF.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_00401A490_2_00401A49
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040428D0_2_0040428D
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040BD8E0_2_0040BD8E
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\OBUQVT~1:bin BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0 89753CCCB2E8B1553F077B8F13C63FBEC2EABE7093A6B847477542483347C827
Sample file is different than original file name gathered from version infoShow sources
Source: Ze8ZhOer4V.exe, 00000000.00000002.1747278251.0000000004310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsader15.dllb! vs Ze8ZhOer4V.exe
Source: Ze8ZhOer4V.exeBinary or memory string: OriginalFilenamemsader15.dllb! vs Ze8ZhOer4V.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile read: C:\Users\user\Desktop\Ze8ZhOer4V.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: Ze8ZhOer4V.exe, type: SAMPLEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 00000000.00000002.1746321572.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: C:\Users\user\AppData\Roaming\GALB8B, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Users\user\AppData\Roaming\OBUQVT~1, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.2.Ze8ZhOer4V.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 0.2.Ze8ZhOer4V.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 12.0.OBUQVT~1:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.0.Ze8ZhOer4V.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 2.0.GALB8B:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Binary contains paths to development resourcesShow sources
Source: PresentationFontCache.exe, 0000000B.00000003.1999876075.0000000003581000.00000004.00000001.sdmpBinary or memory string: AutoItX.sln
Source: PresentationFontCache.exe, 0000000B.00000002.2177131490.0000000002EE0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@299/34@254/13
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile created: C:\Users\user\AppData\Roaming\GALB8BJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Users\user\AppData\Local\Temp\7324F8C.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Ze8ZhOer4V.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Ze8ZhOer4V.exeVirustotal: Detection: 55%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Ze8ZhOer4V.exe 'C:\Users\user\Desktop\Ze8ZhOer4V.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\Desktop\ZE8ZHO~1.EXE
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /reset
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\OBUQVT~1:bin C:\Users\user\AppData\Roaming\OBUQVT~1:bin
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess created: C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\Desktop\ZE8ZHO~1.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /resetJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess created: C:\Users\user\AppData\Roaming\OBUQVT~1:bin C:\Users\user\AppData\Roaming\OBUQVT~1:binJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: Ze8ZhOer4V.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: GALB8B:bin, 00000002.00000003.1755928066.000000000418E000.00000004.00000001.sdmp, PresentationFontCache.exe_0.2.dr
Source: Binary string: PresentationFontCache.pdb source: GALB8B:bin, 00000002.00000003.1755928066.000000000418E000.00000004.00000001.sdmp, PresentationFontCache.exe_0.2.dr
Source: Binary string: 04QuURX.pdb source: Ze8ZhOer4V.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeUnpacked PE file: 0.2.Ze8ZhOer4V.exe.400000.0.unpack .text:ER;.data0:R;.data:W;.qdata:W;.code:W;.CRT:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.bss:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeUnpacked PE file: 0.2.Ze8ZhOer4V.exe.400000.0.unpack
PE file contains sections with non-standard namesShow sources
Source: Ze8ZhOer4V.exeStatic PE information: section name: .data0
Source: Ze8ZhOer4V.exeStatic PE information: section name: .qdata
Source: Ze8ZhOer4V.exeStatic PE information: section name: .code
Source: GALB8B_bin.0.drStatic PE information: section name: .data0
Source: GALB8B_bin.0.drStatic PE information: section name: .qdata
Source: GALB8B_bin.0.drStatic PE information: section name: .code
Source: PresentationFontCache.exe.2.drStatic PE information: section name: .data0
Source: PresentationFontCache.exe.2.drStatic PE information: section name: .qdata
Source: PresentationFontCache.exe.2.drStatic PE information: section name: .code
Source: OBUQVT~1_bin.11.drStatic PE information: section name: .data0
Source: OBUQVT~1_bin.11.drStatic PE information: section name: .qdata
Source: OBUQVT~1_bin.11.drStatic PE information: section name: .code

Persistence and Installation Behavior:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binSystem file written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile created: C:\Users\user\AppData\Roaming\OBUQVT~1:binJump to dropped file
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile created: C:\Users\user\AppData\Roaming\GALB8B:binJump to dropped file
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache3.0.0.0Jump to behavior
Modifies existing windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache3.0.0.0Jump to behavior
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile created: C:\Users\user\AppData\Roaming\GALB8B:binJump to behavior
Deletes itself after installationShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile deleted: c:\users\user\desktop\ze8zhoer4v.exeJump to behavior
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /reset
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\AdobeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroAppJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\EslJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReaderJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENUJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DCJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binDropped PE file which has not been started: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-9568
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040EA3C FindFirstFileExW,0_2_0040EA3C
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040727A GetSystemInfo,0_2_0040727A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service,
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Servicev
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Servicew
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
Source: ARP.EXE, 0000000D.00000002.1769357899.000001CA8A230000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll..
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeAPI call chain: ExitProcess graph end nodegraph_0-9898
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_00407DEC LdrLoadDll,0_2_00407DEC
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_025E178B SetUnhandledExceptionFilter,0_2_025E178B
Source: C:\Users\user\AppData\Roaming\GALB8B:binCode function: 2_2_0251178B SetUnhandledExceptionFilter,2_2_0251178B
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeCode function: 11_2_02B5178B SetUnhandledExceptionFilter,11_2_02B5178B
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binCode function: 12_2_027C178B SetUnhandledExceptionFilter,12_2_027C178B

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess created: C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\Desktop\ZE8ZHO~1.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /resetJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unkno