Loading ...

Play interactive tourEdit tour

Analysis Report Ze8ZhOer4V

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:187597
Start date:05.11.2019
Start time:17:28:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 37s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Ze8ZhOer4V (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.troj.evad.winEXE@299/34@254/13
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 90.2% (good quality ratio 89.9%)
  • Quality average: 85.7%
  • Quality standard deviation: 19.3%
HCA Information:
  • Successful, ratio: 54%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, VSSVC.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): 224.2.168.192.in-addr.arpa, 164.2.168.192.in-addr.arpa, 155.2.168.192.in-addr.arpa, 53.2.168.192.in-addr.arpa, 215.2.168.192.in-addr.arpa, 35.2.168.192.in-addr.arpa, 189.2.168.192.in-addr.arpa, 9.2.168.192.in-addr.arpa, 233.2.168.192.in-addr.arpa, 105.2.168.192.in-addr.arpa, 62.2.168.192.in-addr.arpa, 249.2.168.192.in-addr.arpa, 26.2.168.192.in-addr.arpa, 2.2.168.192.in-addr.arpa, 139.2.168.192.in-addr.arpa, 180.2.168.192.in-addr.arpa, 19.2.168.192.in-addr.arpa, 112.2.168.192.in-addr.arpa, 130.2.168.192.in-addr.arpa, 80.2.168.192.in-addr.arpa, 96.2.168.192.in-addr.arpa, 208.2.168.192.in-addr.arpa, 146.2.168.192.in-addr.arpa, 173.2.168.192.in-addr.arpa, 69.2.168.192.in-addr.arpa, 196.2.168.192.in-addr.arpa, 242.2.168.192.in-addr.arpa, 123.2.168.192.in-addr.arpa, 162.2.168.192.in-addr.arpa, 141.2.168.192.in-addr.arpa, 201.2.168.192.in-addr.arpa, 187.2.168.192.in-addr.arpa, 238.2.168.192.in-addr.arpa, 55.2.168.192.in-addr.arpa, 60.2.168.192.in-addr.arpa, 153.2.168.192.in-addr.arpa, 191.2.168.192.in-addr.arpa, 28.2.168.192.in-addr.arpa, 226.2.168.192.in-addr.arpa, 103.2.168.192.in-addr.arpa, 247.2.168.192.in-addr.arpa, 4.2.168.192.in-addr.arpa, 137.2.168.192.in-addr.arpa, 10.2.168.192.in-addr.arpa, 114.2.168.192.in-addr.arpa, 251.2.168.192.in-addr.arpa, 17.2.168.192.in-addr.arpa, 33.2.168.192.in-addr.arpa, 78.2.168.192.in-addr.arpa, 94.2.168.192.in-addr.arpa, 71.2.168.192.in-addr.arpa, 213.2.168.192.in-addr.arpa, 21.2.168.192.in-addr.arpa, 148.2.168.192.in-addr.arpa, 175.2.168.192.in-addr.arpa, 125.2.168.192.in-addr.arpa, 240.2.168.192.in-addr.arpa, 44.2.168.192.in-addr.arpa, 67.2.168.192.in-addr.arpa, 82.2.168.192.in-addr.arpa, 198.2.168.192.in-addr.arpa, 219.2.168.192.in-addr.arpa, 91.2.168.192.in-addr.arpa, 159.2.168.192.in-addr.arpa, 32.2.168.192.in-addr.arpa, 236.2.168.192.in-addr.arpa, 185.2.168.192.in-addr.arpa, 74.2.168.192.in-addr.arpa, 39.2.168.192.in-addr.arpa, 254.2.168.192.in-addr.arpa, 168.2.168.192.in-addr.arpa, 212.2.168.192.in-addr.arpa, 83.2.168.192.in-addr.arpa, 89.2.168.192.in-addr.arpa, 109.2.168.192.in-addr.arpa, 41.2.168.192.in-addr.arpa, 228.2.168.192.in-addr.arpa, 245.2.168.192.in-addr.arpa, 100.2.168.192.in-addr.arpa, 50.2.168.192.in-addr.arpa, 116.2.168.192.in-addr.arpa, 142.2.168.192.in-addr.arpa, 177.2.168.192.in-addr.arpa, 204.2.168.192.in-addr.arpa, 161.2.168.192.in-addr.arpa, 230.2.168.192.in-addr.arpa, 135.2.168.192.in-addr.arpa, 57.2.168.192.in-addr.arpa, 127.2.168.192.in-addr.arpa, 15.2.168.192.in-addr.arpa, 192.2.168.192.in-addr.arpa, 150.2.168.192.in-addr.arpa, 6.2.168.192.in-addr.arpa, 46.2.168.192.in-addr.arpa, 65.2.168.192.in-addr.arpa, 183.2.168.192.in-addr.arpa, 243.2.168.192.in-addr.arpa, 30.2.168.192.in-addr.arpa, 157.2.168.192.in-addr.arpa, 217.2.168.192.in-addr.arpa, 37.2.168.192.in-addr.arpa, 111.2.168.192.in-addr.arpa, 76.2.168.192.in-addr.arpa, 107.2.168.192.in-addr.arpa, 166.2.168.192.in-addr.arpa, 170.2.168.192.in-addr.arpa, 210.2.168.192.in-addr.arpa, 85.2.168.192.in-addr.arpa, 120.2.168.192.in-addr.arpa, 24.2.168.192.in-addr.arpa, 87.2.168.192.in-addr.arpa, 118.2.168.192.in-addr.arpa, 179.2.168.192.in-addr.arpa, 221.2.168.192.in-addr.arpa, 52.2.168.192.in-addr.arpa, 59.2.168.192.in-addr.arpa, 133.2.168.192.in-addr.arpa, 194.2.168.192.in-addr.arpa, 232.2.168.192.in-addr.arpa, 13.2.168.192.in-addr.arpa, 98.2.168.192.in-addr.arpa, 129.2.168.192.in-addr.arpa, 144.2.168.192.in-addr.arpa, 206.2.168.192.in-addr.arpa, 8.2.168.192.in-addr.arpa, 48.2.168.192.in-addr.arpa, 63.2.168.192.in-addr.arpa, 70.2.168.192.in-addr.arpa, 86.2.168.192.in-addr.arpa, 181.2.168.192.in-addr.arpa, 138.2.168.192.in-addr.arpa, 1.2.168.192.in-addr.arpa, 11.2.168.192.in-addr.arpa, 250.2.168.192.in-addr.arpa, 18.2.168.192.in-addr.arpa, 113.2.168.192.in-addr.arpa, 20.2.168.192.in-addr.arpa, 95.2.168.192.in-addr.arpa, 207.2.168.192.in-addr.arpa, 147.2.168.192.in-addr.arpa, 172.2.168.192.in-addr.arpa, 68.2.168.192.in-addr.arpa, 241.2.168.192.in-addr.arpa, 122.2.168.192.in-addr.arpa, 197.2.168.192.in-addr.arpa, 223.2.168.192.in-addr.arpa, 45.2.168.192.in-addr.arpa, 200.2.168.192.in-addr.arpa, 165.2.168.192.in-addr.arpa, 216.2.168.192.in-addr.arpa, 54.2.168.192.in-addr.arpa, 239.2.168.192.in-addr.arpa, 131.2.168.192.in-addr.arpa, 77.2.168.192.in-addr.arpa, 188.2.168.192.in-addr.arpa, 234.2.168.192.in-addr.arpa, 34.2.168.192.in-addr.arpa, 154.2.168.192.in-addr.arpa, 27.2.168.192.in-addr.arpa, 61.2.168.192.in-addr.arpa, 104.2.168.192.in-addr.arpa, 199.2.168.192.in-addr.arpa, 3.2.168.192.in-addr.arpa, 136.2.168.192.in-addr.arpa, 79.2.168.192.in-addr.arpa, 93.2.168.192.in-addr.arpa, 115.2.168.192.in-addr.arpa, 252.2.168.192.in-addr.arpa, 72.2.168.192.in-addr.arpa, 209.2.168.192.in-addr.arpa, 16.2.168.192.in-addr.arpa, 174.2.168.192.in-addr.arpa, 214.2.168.192.in-addr.arpa, 149.2.168.192.in-addr.arpa, 124.2.168.192.in-addr.arpa, 22.2.168.192.in-addr.arpa, 43.2.168.192.in-addr.arpa, 81.2.168.192.in-addr.arpa, 163.2.168.192.in-addr.arpa, 202.2.168.192.in-addr.arpa, 237.2.168.192.in-addr.arpa, 186.2.168.192.in-addr.arpa, 152.2.168.192.in-addr.arpa, 190.2.168.192.in-addr.arpa, 225.2.168.192.in-addr.arpa, 102.2.168.192.in-addr.arpa, 140.2.168.192.in-addr.arpa, 29.2.168.192.in-addr.arpa, 248.2.168.192.in-addr.arpa, 117.2.168.192.in-addr.arpa, 23.2.168.192.in-addr.arpa, 143.2.168.192.in-addr.arpa, 160.2.168.192.in-addr.arpa, 203.2.168.192.in-addr.arpa, 134.2.168.192.in-addr.arpa, 110.2.168.192.in-addr.arpa, 56.2.168.192.in-addr.arpa, 14.2.168.192.in-addr.arpa, 151.2.168.192.in-addr.arpa, 126.2.168.192.in-addr.arpa, 193.2.168.192.in-addr.arpa, 99.2.168.192.in-addr.arpa, 220.2.168.192.in-addr.arpa, 176.2.168.192.in-addr.arpa, 47.2.168.192.in-addr.arpa, 101.2.168.192.in-addr.arpa, 66.2.168.192.in-addr.arpa, 158.2.168.192.in-addr.arpa, 184.2.168.192.in-addr.arpa, 38.2.168.192.in-addr.arpa, 73.2.168.192.in-addr.arpa, 31.2.168.192.in-addr.arpa, 92.2.168.192.in-addr.arpa, 235.2.168.192.in-addr.arpa, 253.2.168.192.in-addr.arpa, 169.2.168.192.in-addr.arpa, 211.2.168.192.in-addr.arpa, 42.2.168.192.in-addr.arpa, 84.2.168.192.in-addr.arpa, 227.2.168.192.in-addr.arpa, 108.2.168.192.in-addr.arpa, 246.2.168.192.in-addr.arpa, 25.2.168.192.in-addr.arpa, 178.2.168.192.in-addr.arpa, 88.2.168.192.in-addr.arpa, 222.2.168.192.in-addr.arpa, 205.2.168.192.in-addr.arpa, 119.2.168.192.in-addr.arpa, 231.2.168.192.in-addr.arpa, 51.2.168.192.in-addr.arpa, 58.2.168.192.in-addr.arpa, 255.2.168.192.in-addr.arpa, 97.2.168.192.in-addr.arpa, 128.2.168.192.in-addr.arpa, 132.2.168.192.in-addr.arpa, 12.2.168.192.in-addr.arpa, 145.2.168.192.in-addr.arpa, 195.2.168.192.in-addr.arpa, 7.2.168.192.in-addr.arpa, 49.2.168.192.in-addr.arpa, 64.2.168.192.in-addr.arpa, 121.2.168.192.in-addr.arpa, 90.2.168.192.in-addr.arpa, 182.2.168.192.in-addr.arpa, 244.2.168.192.in-addr.arpa, 218.2.168.192.in-addr.arpa, 156.2.168.192.in-addr.arpa, 36.2.168.192.in-addr.arpa, 75.2.168.192.in-addr.arpa, 106.2.168.192.in-addr.arpa, 229.2.168.192.in-addr.arpa, 40.2.168.192.in-addr.arpa, 167.2.168.192.in-addr.arpa, 171.2.168.192.in-addr.arpa
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsService Execution2File System Permissions Weakness1File System Permissions Weakness1Masquerading3Input Capture21Query Registry1Taint Shared Content1Input Capture21Data Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionModify Existing Service21Process Injection1Software Packing2Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationNew Service12New Service12Process Injection1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingNTFS File Attributes1Credentials in FilesSystem Network Configuration Discovery2Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion21Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\OBUQVT~1Joe Sandbox ML: detected
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GALB8BJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: Ze8ZhOer4V.exeJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binVirustotal: Detection: 55%Perma Link
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binVirustotal: Detection: 55%Perma Link
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeVirustotal: Detection: 55%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Ze8ZhOer4V.exeVirustotal: Detection: 55%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040C4E3 CryptDecodeObject,CryptImportPublicKeyInfo,

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binSystem file written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to behavior
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Enumerates the file systemShow sources
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040EA3C FindFirstFileExW,

Networking:

barindex
Performs many domain queries via nslookupShow sources
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Found strings which match to known social media urlsShow sources
Source: PresentationFontCache.exe, 0000000B.00000003.2168659188.00000000049C0000.00000004.00000001.sdmpString found in binary or memory: Don't show againSave a Blank Copy of this FormData typed into this form will not be saved. Adobe Acrobat Reader can only save a blank copy of this form.Save a Blank CopyPlease print your completed form if you would like a copy for your records.CancelOKContinueIgnoreStopEmail a Blank Copy of this FormThe email method you just chose will email a blank copy of this form. The blank copy will not contain any data you may have typed into this form.Email a Blank CopyThis form contains an email submit button, located on the form. Clicking this email submit button will email a data file containing data you type into this form.blankcopySelect Email ClientPlease indicate the option which best describes how you send mail.&Desktop Email ApplicationChoose this option if you currently use an email application such as Microsoft Outlook, Eudora, or Mail.&Internet EmailChoose this option if you currently use an Internet email service such as Yahoo or Microsoft Hotmail.You will then need to save your form and return it manually
Source: PresentationFontCache.exe, 0000000B.00000003.2168659188.00000000049C0000.00000004.00000001.sdmpString found in binary or memory: Don't show againSave a Blank Copy of this FormData typed into this form will not be saved. Adobe Acrobat Reader can only save a blank copy of this form.Save a Blank CopyPlease print your completed form if you would like a copy for your records.CancelOKContinueIgnoreStopEmail a Blank Copy of this FormThe email method you just chose will email a blank copy of this form. The blank copy will not contain any data you may have typed into this form.Email a Blank CopyThis form contains an email submit button, located on the form. Clicking this email submit button will email a data file containing data you type into this form.blankcopySelect Email ClientPlease indicate the option which best describes how you send mail.&Desktop Email ApplicationChoose this option if you currently use an email application such as Microsoft Outlook, Eudora, or Mail.&Internet EmailChoose this option if you currently use an Internet email service such as Yahoo or Microsoft Hotmail.You will then need to save your form and return it manually
Source: PresentationFontCache.exe, 0000000B.00000003.2149497879.0000000003581000.00000004.00000001.sdmpString found in binary or memory: Facebook.urlWBX equals www.facebook.com (Facebook)
Source: PresentationFontCache.exe, 0000000B.00000003.2149497879.0000000003581000.00000004.00000001.sdmpString found in binary or memory: Twitter.url`C equals www.twitter.com (Twitter)
Source: PresentationFontCache.exe, 0000000B.00000003.2149497879.0000000003581000.00000004.00000001.sdmpString found in binary or memory: Youtube.url equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 8.8.8.8.in-addr.arpa

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: OBUQVT~1:bin, 0000000C.00000002.1977375435.00000000027FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: PresentationFontCache.exe, 0000000B.00000002.2178931595.0000000003924000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au32FZ/2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000003.00000002.1753559035.0000020DE0540000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000003.00000002.1753559035.0000020DE0540000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000003.00000002.1753934423.0000020DE0825000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exeDeleteShadows/All/Quiet
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000003.00000002.1753535981.0000020DE0520000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 189
Source: conhost.exeProcess created: 46
Source: nslookup.exeProcess created: 47

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1746321572.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.Ze8ZhOer4V.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.Ze8ZhOer4V.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040D21E NtClose,
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_004026CB CreateProcessW,NtClose,
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040D3BF NtClose,
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4772:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2560:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_01
Source: C:\Users\user\AppData\Roaming\GALB8B:binMutant created: \Sessions\1\BaseNamedObjects\Global\{4776E382-B4C5-66CE-33E1-C15BCF56522E}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:960:120:WilError_01
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binMutant created: \Sessions\1\BaseNamedObjects\{{35778CD-D-D8-93-8-2F9--728B-B673868}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_01
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binFile deleted: C:\Windows\Temp\shk63EF.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_00401A49
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040428D
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040BD8E
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\OBUQVT~1:bin BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0 89753CCCB2E8B1553F077B8F13C63FBEC2EABE7093A6B847477542483347C827
Sample file is different than original file name gathered from version infoShow sources
Source: Ze8ZhOer4V.exe, 00000000.00000002.1747278251.0000000004310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsader15.dllb! vs Ze8ZhOer4V.exe
Source: Ze8ZhOer4V.exeBinary or memory string: OriginalFilenamemsader15.dllb! vs Ze8ZhOer4V.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile read: C:\Users\user\Desktop\Ze8ZhOer4V.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\GALB8B:binSection loaded: wow64log.dll
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binSection loaded: wow64log.dll
Yara signature matchShow sources
Source: Ze8ZhOer4V.exe, type: SAMPLEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 00000000.00000002.1746321572.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: C:\Users\user\AppData\Roaming\GALB8B, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Users\user\AppData\Roaming\OBUQVT~1, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.2.Ze8ZhOer4V.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 0.2.Ze8ZhOer4V.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 12.0.OBUQVT~1:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.0.Ze8ZhOer4V.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 2.0.GALB8B:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Binary contains paths to development resourcesShow sources
Source: PresentationFontCache.exe, 0000000B.00000003.1999876075.0000000003581000.00000004.00000001.sdmpBinary or memory string: AutoItX.sln
Source: PresentationFontCache.exe, 0000000B.00000002.2177131490.0000000002EE0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@299/34@254/13
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile created: C:\Users\user\AppData\Roaming\GALB8BJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Users\user\AppData\Local\Temp\7324F8C.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Ze8ZhOer4V.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by AntivirusShow sources
Source: Ze8ZhOer4V.exeVirustotal: Detection: 55%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Ze8ZhOer4V.exe 'C:\Users\user\Desktop\Ze8ZhOer4V.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\Desktop\ZE8ZHO~1.EXE
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /reset
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\OBUQVT~1:bin C:\Users\user\AppData\Roaming\OBUQVT~1:bin
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess created: C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\Desktop\ZE8ZHO~1.EXE
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /reset
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess created: C:\Users\user\AppData\Roaming\OBUQVT~1:bin C:\Users\user\AppData\Roaming\OBUQVT~1:bin
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32
PE file contains a debug data directoryShow sources
Source: Ze8ZhOer4V.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: GALB8B:bin, 00000002.00000003.1755928066.000000000418E000.00000004.00000001.sdmp, PresentationFontCache.exe_0.2.dr
Source: Binary string: PresentationFontCache.pdb source: GALB8B:bin, 00000002.00000003.1755928066.000000000418E000.00000004.00000001.sdmp, PresentationFontCache.exe_0.2.dr
Source: Binary string: 04QuURX.pdb source: Ze8ZhOer4V.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeUnpacked PE file: 0.2.Ze8ZhOer4V.exe.400000.0.unpack .text:ER;.data0:R;.data:W;.qdata:W;.code:W;.CRT:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.bss:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeUnpacked PE file: 0.2.Ze8ZhOer4V.exe.400000.0.unpack
PE file contains sections with non-standard namesShow sources
Source: Ze8ZhOer4V.exeStatic PE information: section name: .data0
Source: Ze8ZhOer4V.exeStatic PE information: section name: .qdata
Source: Ze8ZhOer4V.exeStatic PE information: section name: .code
Source: GALB8B_bin.0.drStatic PE information: section name: .data0
Source: GALB8B_bin.0.drStatic PE information: section name: .qdata
Source: GALB8B_bin.0.drStatic PE information: section name: .code
Source: PresentationFontCache.exe.2.drStatic PE information: section name: .data0
Source: PresentationFontCache.exe.2.drStatic PE information: section name: .qdata
Source: PresentationFontCache.exe.2.drStatic PE information: section name: .code
Source: OBUQVT~1_bin.11.drStatic PE information: section name: .data0
Source: OBUQVT~1_bin.11.drStatic PE information: section name: .qdata
Source: OBUQVT~1_bin.11.drStatic PE information: section name: .code

Persistence and Installation Behavior:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binSystem file written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile created: C:\Users\user\AppData\Roaming\OBUQVT~1:binJump to dropped file
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile created: C:\Users\user\AppData\Roaming\GALB8B:binJump to dropped file
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache3.0.0.0Jump to behavior
Modifies existing windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache3.0.0.0Jump to behavior
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeFile created: C:\Users\user\AppData\Roaming\GALB8B:binJump to behavior
Deletes itself after installationShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binFile deleted: c:\users\user\desktop\ze8zhoer4v.exeJump to behavior
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /reset
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Roaming\GALB8B:binDropped PE file which has not been started: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe:0Jump to dropped file
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040EA3C FindFirstFileExW,
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_0040727A GetSystemInfo,
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service,
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Servicev
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Servicew
Source: GALB8B:bin, 00000002.00000003.1757983258.0000000004146000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
Source: ARP.EXE, 0000000D.00000002.1769357899.000001CA8A230000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll..
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_00407DEC LdrLoadDll,
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeCode function: 0_2_025E178B SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\GALB8B:binCode function: 2_2_0251178B SetUnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exeCode function: 11_2_02B5178B SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binCode function: 12_2_027C178B SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeProcess created: C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\AppData\Roaming\GALB8B:bin C:\Users\user\Desktop\ZE8ZHO~1.EXE
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: C:\Users\user\AppData\Roaming\GALB8B:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe /reset
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\OBUQVT~1:binProcess created: unknown unknown

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Ze8ZhOer4V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 187597 Sample: Ze8ZhOer4V Startdate: 05/11/2019 Architecture: WINDOWS Score: 100 69 8.8.8.8.in-addr.arpa 2->69 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus or Machine Learning detection for dropped file 2->103 105 Antivirus or Machine Learning detection for sample 2->105 107 6 other signatures 2->107 10 PresentationFontCache.exe 3 2->10         started        14 Ze8ZhOer4V.exe 2 2->14         started        signatures3 process4 file5 65 C:\Users\user\AppData\Roaming\OBUQVT~1:bin, PE32 10->65 dropped 109 Antivirus or Machine Learning detection for dropped file 10->109 111 Multi AV Scanner detection for dropped file 10->111 16 OBUQVT~1:bin 501 10->16         started        67 C:\Users\user\AppData\RoamingbehaviorgraphALB8B:bin, PE32 14->67 dropped 113 Detected unpacking (changes PE section rights) 14->113 115 Detected unpacking (overwrites its own PE header) 14->115 117 Creates files in alternative data streams (ADS) 14->117 19 GALB8B:bin 6 2 14->19         started        signatures6 process7 file8 85 Multi AV Scanner detection for dropped file 16->85 87 Uses nslookup.exe to query domains 16->87 89 Performs many domain queries via nslookup 16->89 91 Performs a network lookup / discovery via ARP 16->91 22 nslookup.exe 1 16->22         started        25 nslookup.exe 1 16->25         started        27 nslookup.exe 1 16->27         started        37