Loading ...

Play interactive tourEdit tour

Analysis Report n7WgX8KrT6

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:187871
Start date:06.11.2019
Start time:14:21:04
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:n7WgX8KrT6 (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.troj.evad.winEXE@301/26@254/8
EGA Information:
  • Successful, ratio: 25%
HDC Information:
  • Successful, ratio: 90.2% (good quality ratio 89.9%)
  • Quality average: 85.7%
  • Quality standard deviation: 19.3%
HCA Information:
  • Successful, ratio: 51%
  • Number of executed functions: 35
  • Number of non-executed functions: 3
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, VSSVC.exe, CompatTelRunner.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240, 205.185.216.10, 205.185.216.42, 13.107.4.50, 67.27.157.126, 67.26.137.254, 8.253.95.121, 67.27.159.126, 67.27.157.254, 67.27.159.254, 67.27.233.254, 8.253.95.120, 52.109.124.21, 52.109.124.23, 92.122.213.201, 92.122.213.217, 20.44.86.43, 52.158.208.111, 8.248.141.254, 8.253.204.249, 67.27.158.254, 8.253.207.120, 52.109.12.23
  • Excluded domains from analysis (whitelisted): 224.2.168.192.in-addr.arpa, 164.2.168.192.in-addr.arpa, 155.2.168.192.in-addr.arpa, 53.2.168.192.in-addr.arpa, 215.2.168.192.in-addr.arpa, 35.2.168.192.in-addr.arpa, 189.2.168.192.in-addr.arpa, 9.2.168.192.in-addr.arpa, 233.2.168.192.in-addr.arpa, 105.2.168.192.in-addr.arpa, 62.2.168.192.in-addr.arpa, 249.2.168.192.in-addr.arpa, 26.2.168.192.in-addr.arpa, 2.2.168.192.in-addr.arpa, 139.2.168.192.in-addr.arpa, 180.2.168.192.in-addr.arpa, 19.2.168.192.in-addr.arpa, 112.2.168.192.in-addr.arpa, 130.2.168.192.in-addr.arpa, 80.2.168.192.in-addr.arpa, 96.2.168.192.in-addr.arpa, 208.2.168.192.in-addr.arpa, au.au-msedge.net, 146.2.168.192.in-addr.arpa, 173.2.168.192.in-addr.arpa, 69.2.168.192.in-addr.arpa, 196.2.168.192.in-addr.arpa, 242.2.168.192.in-addr.arpa, 123.2.168.192.in-addr.arpa, 162.2.168.192.in-addr.arpa, umwatson.trafficmanager.net, 141.2.168.192.in-addr.arpa, 201.2.168.192.in-addr.arpa, 187.2.168.192.in-addr.arpa, 238.2.168.192.in-addr.arpa, 55.2.168.192.in-addr.arpa, 60.2.168.192.in-addr.arpa, 153.2.168.192.in-addr.arpa, 191.2.168.192.in-addr.arpa, 28.2.168.192.in-addr.arpa, auto.au.download.windowsupdate.com.c.footprint.net, 226.2.168.192.in-addr.arpa, 103.2.168.192.in-addr.arpa, 247.2.168.192.in-addr.arpa, 4.2.168.192.in-addr.arpa, 137.2.168.192.in-addr.arpa, wu.ec.azureedge.net, 10.2.168.192.in-addr.arpa, 114.2.168.192.in-addr.arpa, 251.2.168.192.in-addr.arpa, 17.2.168.192.in-addr.arpa, download.windowsupdate.com, 33.2.168.192.in-addr.arpa, 78.2.168.192.in-addr.arpa, 94.2.168.192.in-addr.arpa, 71.2.168.192.in-addr.arpa, download.windowsupdate.com.edgesuite.net, 213.2.168.192.in-addr.arpa, 21.2.168.192.in-addr.arpa, 148.2.168.192.in-addr.arpa, 175.2.168.192.in-addr.arpa, 125.2.168.192.in-addr.arpa, 240.2.168.192.in-addr.arpa, 44.2.168.192.in-addr.arpa, 67.2.168.192.in-addr.arpa, 82.2.168.192.in-addr.arpa, 198.2.168.192.in-addr.arpa, 219.2.168.192.in-addr.arpa, 91.2.168.192.in-addr.arpa, 159.2.168.192.in-addr.arpa, 32.2.168.192.in-addr.arpa, 236.2.168.192.in-addr.arpa, 185.2.168.192.in-addr.arpa, 74.2.168.192.in-addr.arpa, 39.2.168.192.in-addr.arpa, 254.2.168.192.in-addr.arpa, 168.2.168.192.in-addr.arpa, 212.2.168.192.in-addr.arpa, 83.2.168.192.in-addr.arpa, 89.2.168.192.in-addr.arpa, 109.2.168.192.in-addr.arpa, 41.2.168.192.in-addr.arpa, watson.telemetry.microsoft.com, 228.2.168.192.in-addr.arpa, 245.2.168.192.in-addr.arpa, 100.2.168.192.in-addr.arpa, 50.2.168.192.in-addr.arpa, 116.2.168.192.in-addr.arpa, 142.2.168.192.in-addr.arpa, 177.2.168.192.in-addr.arpa, 204.2.168.192.in-addr.arpa, 161.2.168.192.in-addr.arpa, 230.2.168.192.in-addr.arpa, 135.2.168.192.in-addr.arpa, 57.2.168.192.in-addr.arpa, 127.2.168.192.in-addr.arpa, 15.2.168.192.in-addr.arpa, 192.2.168.192.in-addr.arpa, 150.2.168.192.in-addr.arpa, 46.2.168.192.in-addr.arpa, 65.2.168.192.in-addr.arpa, 183.2.168.192.in-addr.arpa, 243.2.168.192.in-addr.arpa, 30.2.168.192.in-addr.arpa, 157.2.168.192.in-addr.arpa, 2-01-3cf7-0009.cdx.cedexis.net, 217.2.168.192.in-addr.arpa, 37.2.168.192.in-addr.arpa, 111.2.168.192.in-addr.arpa, 76.2.168.192.in-addr.arpa, 107.2.168.192.in-addr.arpa, 166.2.168.192.in-addr.arpa, 170.2.168.192.in-addr.arpa, 210.2.168.192.in-addr.arpa, 85.2.168.192.in-addr.arpa, 120.2.168.192.in-addr.arpa, 24.2.168.192.in-addr.arpa, 87.2.168.192.in-addr.arpa, 118.2.168.192.in-addr.arpa, 179.2.168.192.in-addr.arpa, 221.2.168.192.in-addr.arpa, 52.2.168.192.in-addr.arpa, 59.2.168.192.in-addr.arpa, 133.2.168.192.in-addr.arpa, 194.2.168.192.in-addr.arpa, 232.2.168.192.in-addr.arpa, 13.2.168.192.in-addr.arpa, 98.2.168.192.in-addr.arpa, 129.2.168.192.in-addr.arpa, 144.2.168.192.in-addr.arpa, 206.2.168.192.in-addr.arpa, au.c-0001.c-msedge.net, 8.2.168.192.in-addr.arpa, 48.2.168.192.in-addr.arpa, 63.2.168.192.in-addr.arpa, 70.2.168.192.in-addr.arpa, 86.2.168.192.in-addr.arpa, 181.2.168.192.in-addr.arpa, 138.2.168.192.in-addr.arpa, 1.2.168.192.in-addr.arpa, 11.2.168.192.in-addr.arpa, 250.2.168.192.in-addr.arpa, 18.2.168.192.in-addr.arpa, 113.2.168.192.in-addr.arpa, 20.2.168.192.in-addr.arpa, 95.2.168.192.in-addr.arpa, 207.2.168.192.in-addr.arpa, 147.2.168.192.in-addr.arpa, 172.2.168.192.in-addr.arpa, 68.2.168.192.in-addr.arpa, 241.2.168.192.in-addr.arpa, 122.2.168.192.in-addr.arpa, 197.2.168.192.in-addr.arpa, 223.2.168.192.in-addr.arpa, 45.2.168.192.in-addr.arpa, 200.2.168.192.in-addr.arpa, 165.2.168.192.in-addr.arpa, 216.2.168.192.in-addr.arpa, 54.2.168.192.in-addr.arpa, 239.2.168.192.in-addr.arpa, 131.2.168.192.in-addr.arpa, 77.2.168.192.in-addr.arpa, 188.2.168.192.in-addr.arpa, 234.2.168.192.in-addr.arpa, 34.2.168.192.in-addr.arpa, 154.2.168.192.in-addr.arpa, 27.2.168.192.in-addr.arpa, 61.2.168.192.in-addr.arpa, 104.2.168.192.in-addr.arpa, 199.2.168.192.in-addr.arpa, 3.2.168.192.in-addr.arpa, 136.2.168.192.in-addr.arpa, 79.2.168.192.in-addr.arpa, 93.2.168.192.in-addr.arpa, 115.2.168.192.in-addr.arpa, 252.2.168.192.in-addr.arpa, 72.2.168.192.in-addr.arpa, 209.2.168.192.in-addr.arpa, 16.2.168.192.in-addr.arpa, 174.2.168.192.in-addr.arpa, 214.2.168.192.in-addr.arpa, 149.2.168.192.in-addr.arpa, 124.2.168.192.in-addr.arpa, nexus.officeapps.live.com, 22.2.168.192.in-addr.arpa, 43.2.168.192.in-addr.arpa, wu.wpc.apr-52dd2.edgecastdns.net, 81.2.168.192.in-addr.arpa, 163.2.168.192.in-addr.arpa, 202.2.168.192.in-addr.arpa, 237.2.168.192.in-addr.arpa, cds.d2s7q6s2.hwcdn.net, 186.2.168.192.in-addr.arpa, 152.2.168.192.in-addr.arpa, 190.2.168.192.in-addr.arpa, 225.2.168.192.in-addr.arpa, 102.2.168.192.in-addr.arpa, 140.2.168.192.in-addr.arpa, 29.2.168.192.in-addr.arpa, 248.2.168.192.in-addr.arpa, 117.2.168.192.in-addr.arpa, 5.2.168.192.in-addr.arpa, 23.2.168.192.in-addr.arpa, 143.2.168.192.in-addr.arpa, 160.2.168.192.in-addr.arpa, 203.2.168.192.in-addr.arpa, 134.2.168.192.in-addr.arpa, a767.dspw65.akamai.net, 110.2.168.192.in-addr.arpa, 56.2.168.192.in-addr.arpa, 14.2.168.192.in-addr.arpa, 151.2.168.192.in-addr.arpa, 126.2.168.192.in-addr.arpa, 193.2.168.192.in-addr.arpa, 99.2.168.192.in-addr.arpa, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, 220.2.168.192.in-addr.arpa, 176.2.168.192.in-addr.arpa, 47.2.168.192.in-addr.arpa, 101.2.168.192.in-addr.arpa, 66.2.168.192.in-addr.arpa, 158.2.168.192.in-addr.arpa, 184.2.168.192.in-addr.arpa, 38.2.168.192.in-addr.arpa, 73.2.168.192.in-addr.arpa, 31.2.168.192.in-addr.arpa, 92.2.168.192.in-addr.arpa, 235.2.168.192.in-addr.arpa, 253.2.168.192.in-addr.arpa, 169.2.168.192.in-addr.arpa, 211.2.168.192.in-addr.arpa, 42.2.168.192.in-addr.arpa, 84.2.168.192.in-addr.arpa, 227.2.168.192.in-addr.arpa, 108.2.168.192.in-addr.arpa, 246.2.168.192.in-addr.arpa, prod-w.nexus.live.com.akadns.net, 25.2.168.192.in-addr.arpa, 178.2.168.192.in-addr.arpa, 88.2.168.192.in-addr.arpa, 222.2.168.192.in-addr.arpa, 205.2.168.192.in-addr.arpa, 119.2.168.192.in-addr.arpa, 231.2.168.192.in-addr.arpa, 51.2.168.192.in-addr.arpa, wu.azureedge.net, 58.2.168.192.in-addr.arpa, 255.2.168.192.in-addr.arpa, 97.2.168.192.in-addr.arpa, 128.2.168.192.in-addr.arpa, 132.2.168.192.in-addr.arpa, 12.2.168.192.in-addr.arpa, cs11.wpc.v0cdn.net, 145.2.168.192.in-addr.arpa, 195.2.168.192.in-addr.arpa, 7.2.168.192.in-addr.arpa, 49.2.168.192.in-addr.arpa, 64.2.168.192.in-addr.arpa, 121.2.168.192.in-addr.arpa, 90.2.168.192.in-addr.arpa, 182.2.168.192.in-addr.arpa, 244.2.168.192.in-addr.arpa, 218.2.168.192.in-addr.arpa, 156.2.168.192.in-addr.arpa, ctldl.windowsupdate.com, c-0001.c-msedge.net, 36.2.168.192.in-addr.arpa, 75.2.168.192.in-addr.arpa, 106.2.168.192.in-addr.arpa, 229.2.168.192.in-addr.arpa, 40.2.168.192.in-addr.arpa, 167.2.168.192.in-addr.arpa, 171.2.168.192.in-addr.arpa
  • Execution Graph export aborted for target Q8aZuE:bin, PID 3304 because there are no executed function
  • Execution Graph export aborted for target perfhost.exe, PID 5088 because there are no executed function
  • Execution Graph export aborted for target v2BsMVh:bin, PID 2664 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Bitpaymer
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsService Execution2File System Permissions Weakness1File System Permissions Weakness1Masquerading3Input Capture21Query Registry1Taint Shared Content1Input Capture21Data Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionModify Existing Service21Process Injection11Software Packing2Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationNew Service12New Service12Process Injection11Input CaptureSecurity Software Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingNTFS File Attributes1Credentials in FilesSystem Network Configuration Discovery2Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion21Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\perfhost.exeJoe Sandbox ML: detected
Source: C:\Windows\System32\TieringEngineService.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\v2BsMVhJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Q8aZuEJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: n7WgX8KrT6.exeJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binVirustotal: Detection: 61%Perma Link
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binVirustotal: Detection: 61%Perma Link
Source: C:\Windows\SysWOW64\perfhost.exeVirustotal: Detection: 61%Perma Link
Source: C:\Windows\System32\TieringEngineService.exeVirustotal: Detection: 61%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: n7WgX8KrT6.exeVirustotal: Detection: 61%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040C4E3 CryptDecodeObject,CryptImportPublicKeyInfo,0_2_0040C4E3

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\AdobeJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroAppJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\EslJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReaderJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENUJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DCJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040EA3C FindFirstFileExW,0_2_0040EA3C

Networking:

barindex
Performs many domain queries via nslookupShow sources
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Found strings which match to known social media urlsShow sources
Source: perfhost.exe, 0000000B.00000002.5013464298.0000000003700000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5538538045.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: Twitter.url equals www.twitter.com (Twitter)
Source: TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.HK.XML` equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000003.4809783912.000000000275F000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.IE.XML` equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000003.4809783912.000000000275F000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.IT.XML` equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000003.4809783912.000000000275F000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.JP.XML` equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000003.4809783912.000000000275F000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.NO.XML` equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000003.4809783912.000000000275F000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.PL.XML equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000003.4809783912.000000000275F000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5376071022.00000000028F3000.00000004.00000001.sdmpString found in binary or memory: YAHOO.SE.XML equals www.yahoo.com (Yahoo)
Source: perfhost.exe, 0000000B.00000002.5013464298.0000000003700000.00000004.00000001.sdmp, TieringEngineService.exe, 00000014.00000003.5538538045.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: Youtube.urlIPKGELNTQY.pdfhJ equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 8.8.8.8.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/ns3.xsd
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/ns3.xsd(=K(l
Source: TieringEngineService.exe, 00000014.00000003.5698009662.0000000002F6D000.00000004.00000001.sdmpString found in binary or memory: http://www.bohemiancoding.com/sketch
Source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmpString found in binary or memory: http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-02.xsd
Source: TieringEngineService.exe, 00000014.00000003.5570290183.0000000003A07000.00000004.00000001.sdmpString found in binary or memory: https://.OKCancelEdit
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke?token=
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke?token=X
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/2.0/files/
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/2.0/folders/
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/2.0/folders/https://api.box.com/2.0/files/?fields=type
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/2.0/users/me?fields=
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/2.0/users/me?fields=type
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/oauth2/revoke
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/oauth2/revoke&token=
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.box.com/oauth2/token
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.office.com/discovery/
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.office.com/discovery/v2.0/me/services
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.com/v1.0
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/$metadata
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.com/v1.0https://api.onedrive.com/v1.0/$metadatahttps://login.live.com/oauth20_l
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/me
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/api/oauth2/authorize
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.comhttps://accounts.google.com/o/oauth2/authhttps://www.googleapis.com/oauth2/v
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_token.srf
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/token
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comhttps://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://upload.box.com/api/2.0/files/
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://upload.box.com/api/2.0/files/contentmultipart/form-data;
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.box.com
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.box.comhttps://app.box.com/api/oauth2/authorizehttps://api.box.com/oauth2/token6qxlpua7k
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/drive
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/driveofflineaccess_typeConnector.GoogleDriveReportWebRequesturlgener
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/drive/v3/about?fields=maxUploadSize
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/drive/v3/files/
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/drive/v3/files/root?fields=id
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/drive/v3/files/root?fields=idToggleGoogleDriveConnectorROOTMy
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/drive/v3/files?q=
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token?
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files/
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files/https://www.googleapis.com/upload/drive/v3/files?up
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=resumable
Source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=resumableX-Upload-Content-TypePUT

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Q8aZuE:bin, 00000002.00000002.4527305883.00000000027EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: perfhost.exe, 0000000B.00000003.4742977454.000000000274F000.00000004.00000001.sdmpBinary or memory string: !F_WinAPI_RegisterRawInputDevices.au3?

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected BitpaymerShow sources
Source: Yara matchFile source: Process Memory Space: n7WgX8KrT6.exe PID: 2456, type: MEMORY
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: vssadmin.exe, 00000003.00000002.4478677971.0000026DF6415000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exeDeleteShadows/All/Quiet
Source: vssadmin.exe, 00000003.00000002.4478696515.0000026DF6460000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000003.00000002.4478696515.0000026DF6460000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000003.00000002.4478638788.0000026DF63E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000003.00000002.4478638788.0000026DF63E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000003.00000002.4478638788.0000026DF63E0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000003.00000002.4478638788.0000026DF63E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000003.00000002.4478638788.0000026DF63E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 230

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.4472355154.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.n7WgX8KrT6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.n7WgX8KrT6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040D21E NtClose,0_2_0040D21E
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_004026CB CreateProcessW,NtClose,0_2_004026CB
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040D3BF NtClose,0_2_0040D3BF
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\SysWow64\perfhost.exe:0Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binMutant created: \Sessions\1\BaseNamedObjects\Global\{DE1ACA71-EAEB-0033-6503-A8EB3D9B5AD1}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1884:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4872:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:388:120:WilError_01
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binMutant created: \Sessions\1\BaseNamedObjects\{{5FB5578-C-AE-8F-0-900--77CA-7B2456F}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_01
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binFile deleted: C:\Windows\Temp\tgtD4D7.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_00401A490_2_00401A49
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040428D0_2_0040428D
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040BD8E0_2_0040BD8E
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Q8aZuE:bin BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\v2BsMVh:bin BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\SysWOW64\perfhost.exe BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\SysWOW64\perfhost.exe:0 10895ADE339744BBABDFB50BE6025217C02C76B1911C2C8740A57912385B38DE
Source: Joe Sandbox ViewDropped File: C:\Windows\System32\TieringEngineService.exe BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Windows\System32\TieringEngineService.exe:0 2CBB6159E2ACAE4BA73892A4F7F8A3981C159083C29F1A1D548C59FB713B9D74
Sample file is different than original file name gathered from version infoShow sources
Source: n7WgX8KrT6.exe, 00000000.00000002.4473439575.00000000042F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsader15.dllb! vs n7WgX8KrT6.exe
Source: n7WgX8KrT6.exeBinary or memory string: OriginalFilenamemsader15.dllb! vs n7WgX8KrT6.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeFile read: C:\Users\user\Desktop\n7WgX8KrT6.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: n7WgX8KrT6.exe, type: SAMPLEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 00000000.00000002.4472355154.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: C:\Users\user\AppData\Roaming\v2BsMVh, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Windows\SysWOW64\perfhost.exe, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Users\user\AppData\Roaming\Q8aZuE, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Windows\System32\TieringEngineService.exe, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.2.n7WgX8KrT6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 0.2.n7WgX8KrT6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 23.0.v2BsMVh:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 2.0.Q8aZuE:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.0.n7WgX8KrT6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: TieringEngineService.exe_0.2.drBinary string: PCTieredVolume::CTieredVolumeCTieredVolume::InitializeCTieredVolume::UpdateTieringInformationFromVolumeCTieredVolume::GetGeneralVolumeInfoCTieredVolume::SetupNames\??\GLOBALROOT\Device\HardDisk%u\ClusterPartition%u\CTieredVolume::UpgradePinnedDataDatabaseToDscAttributeCTieredVolume::CloseJetInstanceCTieredVolume::DeviceNotifyCallbackCTieredVolume::OnDumpTableToDatabaseCTieredVolume::OpenFileHandleCTieredVolume::GetTierInfoCTieredVolume::TeardownMovementSessionCTieredVolume::SetDesiredStorageClassCTieredVolume::PinFileInPinnedDbCTieredVolume::ClearPinnedFlagFromHeatDbCTieredVolume::ClearPinnedFileInPinnedDbCTieredVolume::GetTieringStateForPinnedFilesCTieredVolume::GetPinnedFilesFromFileSystem:$DSC:$LOGGED_UTILITY_STREAMCTieredVolume::GetPinnedFilesFromPinnedDbCTieredVolume::GetPinnedFileCountFromFileSystemCTieredVolume::GetPinnedFileCountFromPinnedDbCTieredVolume::QueryDesiredStorageClassCTieredVolume::IsFilePinnedInPinnedDbVolumeChangeDismountDismountFailedMountLockLockFailedUnlockNameChangeNeedChkdskWormNearF
Binary contains paths to development resourcesShow sources
Source: TieringEngineService.exe, 00000014.00000003.5698009662.0000000002F6D000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.slnU
Source: perfhost.exe, 0000000B.00000003.4992842504.000000000314D000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@301/26@254/8
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeFile created: C:\Users\user~1\AppData\Roaming\Q8aZuEJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Users\user~1\AppData\Local\Temp\66175.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: n7WgX8KrT6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: n7WgX8KrT6.exeVirustotal: Detection: 61%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\n7WgX8KrT6.exe 'C:\Users\user\Desktop\n7WgX8KrT6.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Q8aZuE:bin C:\Users\user~1\AppData\Roaming\Q8aZuE:bin C:\Users\user~1\Desktop\N7WGX8~1.EXE
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\SysWow64\perfhost.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\SysWow64\perfhost.exe /reset
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknownProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\system32\SgrmBroker.exe /reset
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\system32\TieringEngineService.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\system32\TieringEngineService.exe /reset
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\v2BsMVh:bin C:\Users\user~1\AppData\Roaming\v2BsMVh:bin
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess created: C:\Users\user\AppData\Roaming\Q8aZuE:bin C:\Users\user~1\AppData\Roaming\Q8aZuE:bin C:\Users\user~1\Desktop\N7WGX8~1.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\SysWow64\perfhost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\SysWow64\perfhost.exe /resetJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\system32\SgrmBroker.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\system32\SgrmBroker.exe /resetJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\system32\TieringEngineService.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\system32\TieringEngineService.exe /resetJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess created: C:\Users\user\AppData\Roaming\v2BsMVh:bin C:\Users\user~1\AppData\Roaming\v2BsMVh:binJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: n7WgX8KrT6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: PerfHost.pdb source: Q8aZuE:bin, 00000002.00000003.4501462208.00000000041A2000.00000004.00000001.sdmp, perfhost.exe_0.2.dr
Source: Binary string: weblink.pdbbb source: TieringEngineService.exe, 00000014.00000003.5570290183.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: Search.pdbqq) source: TieringEngineService.exe, 00000014.00000003.5567648833.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: ReadOutLoud.pdb source: TieringEngineService.exe, 00000014.00000003.5566159049.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: TieringEngineService.pdb source: Q8aZuE:bin, 00000002.00000003.4519482317.0000000004217000.00000004.00000001.sdmp, TieringEngineService.exe_0.2.dr
Source: Binary string: TieringEngineService.pdbGCTL source: Q8aZuE:bin, 00000002.00000003.4519482317.0000000004217000.00000004.00000001.sdmp, TieringEngineService.exe_0.2.dr
Source: Binary string: QuickTime.pdb source: TieringEngineService.exe, 00000014.00000003.5573692230.0000000003AFA000.00000004.00000001.sdmp
Source: Binary string: WindowsMedia.pdb source: TieringEngineService.exe, 00000014.00000003.5574539770.0000000003AFA000.00000004.00000001.sdmp
Source: Binary string: datamatrixpmp.pdb source: TieringEngineService.exe, 00000014.00000003.5571302948.0000000003A80000.00000004.00000001.sdmp
Source: Binary string: StorageConnectors.pdb source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmp
Source: Binary string: ppklite.pdb source: TieringEngineService.exe, 00000014.00000003.5562933901.0000000003CE0000.00000004.00000001.sdmp
Source: Binary string: datamatrixpmp.pdb44 source: TieringEngineService.exe, 00000014.00000003.5571302948.0000000003A80000.00000004.00000001.sdmp
Source: Binary string: weblink.pdb source: TieringEngineService.exe, 00000014.00000003.5570290183.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: Spelling.pdbbb% source: TieringEngineService.exe, 00000014.00000003.5568751265.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: Reflow.pdb__ source: TieringEngineService.exe, 00000014.00000003.5566360244.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: ReadOutLoud.pdbGG source: TieringEngineService.exe, 00000014.00000003.5566159049.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: PDDom.pdbuu source: TieringEngineService.exe, 00000014.00000003.5561899891.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: Reflow.pdb source: TieringEngineService.exe, 00000014.00000003.5566360244.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: Search.pdb source: TieringEngineService.exe, 00000014.00000003.5567648833.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: QuickTime.pdb$$ source: TieringEngineService.exe, 00000014.00000003.5573692230.0000000003AFA000.00000004.00000001.sdmp
Source: Binary string: StorageConnectors.pdbff" source: TieringEngineService.exe, 00000014.00000003.5569350994.0000000003A6E000.00000004.00000001.sdmp
Source: Binary string: PDDom.pdb source: TieringEngineService.exe, 00000014.00000003.5561899891.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: 04QuURX.pdb source: n7WgX8KrT6.exe
Source: Binary string: Spelling.pdb source: TieringEngineService.exe, 00000014.00000003.5568751265.0000000003A07000.00000004.00000001.sdmp
Source: Binary string: PerfHost.pdbGCTL source: Q8aZuE:bin, 00000002.00000003.4501462208.00000000041A2000.00000004.00000001.sdmp, perfhost.exe_0.2.dr
Source: Binary string: WindowsMedia.pdb88* source: TieringEngineService.exe, 00000014.00000003.5574539770.0000000003AFA000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeUnpacked PE file: 0.2.n7WgX8KrT6.exe.400000.0.unpack .text:ER;.data0:R;.data:W;.qdata:W;.code:W;.CRT:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.bss:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeUnpacked PE file: 0.2.n7WgX8KrT6.exe.400000.0.unpack
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xBC64E3B0 [Thu Feb 27 12:08:16 2070 UTC]
PE file contains sections with non-standard namesShow sources
Source: n7WgX8KrT6.exeStatic PE information: section name: .data0
Source: n7WgX8KrT6.exeStatic PE information: section name: .qdata
Source: n7WgX8KrT6.exeStatic PE information: section name: .code
Source: Q8aZuE_bin.0.drStatic PE information: section name: .data0
Source: Q8aZuE_bin.0.drStatic PE information: section name: .qdata
Source: Q8aZuE_bin.0.drStatic PE information: section name: .code
Source: perfhost.exe.2.drStatic PE information: section name: .data0
Source: perfhost.exe.2.drStatic PE information: section name: .qdata
Source: perfhost.exe.2.drStatic PE information: section name: .code
Source: TieringEngineService.exe.2.drStatic PE information: section name: .data0
Source: TieringEngineService.exe.2.drStatic PE information: section name: .qdata
Source: TieringEngineService.exe.2.drStatic PE information: section name: .code
Source: TieringEngineService.exe_0.2.drStatic PE information: section name: .didat
Source: v2BsMVh_bin.20.drStatic PE information: section name: .data0
Source: v2BsMVh_bin.20.drStatic PE information: section name: .qdata
Source: v2BsMVh_bin.20.drStatic PE information: section name: .code

Persistence and Installation Behavior:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeFile created: C:\Users\user\AppData\Roaming\Q8aZuE:binJump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\Users\user\AppData\Roaming\v2BsMVh:binJump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\SysWOW64\perfhost.exe:0Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\System32\TieringEngineService.exe:0Jump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\SysWOW64\perfhost.exe:0Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\System32\TieringEngineService.exe:0Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\SysWOW64\perfhost.exe:0Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile created: C:\Windows\System32\TieringEngineService.exe:0Jump to dropped file

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfHostJump to behavior
Modifies existing windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfHostJump to behavior
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeFile created: C:\Users\user~1\AppData\Roaming\Q8aZuE:binJump to behavior
Deletes itself after installationShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binFile deleted: c:\users\user\desktop\n7wgx8krt6.exeJump to behavior
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\SysWow64\perfhost.exe /reset
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\TieringEngineService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\AdobeJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroAppJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\EslJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReaderJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENUJump to behavior
Source: C:\Windows\SysWOW64\perfhost.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DCJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binDropped PE file which has not been started: C:\Windows\SysWOW64\perfhost.exe:0Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binDropped PE file which has not been started: C:\Windows\System32\TieringEngineService.exe:0Jump to dropped file
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-9641
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040EA3C FindFirstFileExW,0_2_0040EA3C
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0040727A GetSystemInfo,0_2_0040727A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: perfhost.exe, 0000000B.00000002.5009085381.0000000002824000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service/
Source: Q8aZuE:bin, 00000002.00000003.4519956451.0000000004186000.00000004.00000001.sdmp, perfhost.exe, 0000000B.00000002.5009085381.0000000002824000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: perfhost.exe, 0000000B.00000003.5004670158.0000000003AC9000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Servicea
Source: TieringEngineService.exe, 00000014.00000003.5689377091.0000000003741000.00000004.00000001.sdmpBinary or memory string: vRDcrwC9ua9dtRr0oxgQJrThq+vyxij3uOSUTf+V/o22YoETQgVMCiqjbBBlz85SfSqH4TMcLlg4
Source: Q8aZuE:bin, 00000002.00000003.4519956451.0000000004186000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interfacef
Source: Q8aZuE:bin, 00000002.00000003.4519956451.0000000004186000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service*
Source: Q8aZuE:bin, 00000002.00000003.4519956451.0000000004186000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
Source: perfhost.exe, 0000000B.00000002.5009085381.0000000002824000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
Source: Q8aZuE:bin, 00000002.00000003.4519956451.0000000004186000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
Source: perfhost.exe, 0000000B.00000002.5009085381.0000000002824000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
Source: ARP.EXE, 00000018.00000002.5025581523.000002347E450000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program exit pointsShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeAPI call chain: ExitProcess graph end nodegraph_0-9908
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\perfhost.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_00407DEC LdrLoadDll,0_2_00407DEC
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeCode function: 0_2_0248178B SetUnhandledExceptionFilter,0_2_0248178B

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\n7WgX8KrT6.exeProcess created: C:\Users\user\AppData\Roaming\Q8aZuE:bin C:\Users\user~1\AppData\Roaming\Q8aZuE:bin C:\Users\user~1\Desktop\N7WGX8~1.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\SysWow64\perfhost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\SysWow64\perfhost.exe /resetJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\system32\SgrmBroker.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\system32\SgrmBroker.exe /resetJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\system32\TieringEngineService.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Q8aZuE:binProcess created: C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\Windows\system32\TieringEngineService.exe /resetJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.5Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\v2BsMVh:binProcess created: unknown unknownJump