Play interactive tour

Edit tour

Analysis Report shipping order.exe

Overview

General Information

Sample Name:	shipping order.exe
Analysis ID:	337538
MD5:	b87925c7eb04ed03b7d1b9a5a39358d8
SHA1:	cff199d7a3b2ecb1d5a6c2ba48de92901789cfda
SHA256:	8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
Tags:	EnduranceexeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Powershell adding suspicious path to exclusion list

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w10x64

shipping order.exe (PID: 5316 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

powershell.exe (PID: 1000 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4724 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4600 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6292 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6464 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cmd.exe (PID: 6728 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6820 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cmd.exe (PID: 1688 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6460 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

shipping order.exe (PID: 5732 cmdline: C:\Users\user\Desktop\shipping order.exe MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

WerFault.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

shipping order.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

powershell.exe (PID: 5128 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

shipping order.exe (PID: 1624 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

shipping order.exe (PID: 5860 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

shipping order.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

shipping order.exe (PID: 6436 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["311.10.11.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x102dd:$x1: NanoCore.ClientPluginHost 0x430fd:$x1: NanoCore.ClientPluginHost 0x75d1d:$x1: NanoCore.ClientPluginHost 0x1031a:$x2: IClientNetworkHost 0x4313a:$x2: IClientNetworkHost 0x75d5a:$x2: IClientNetworkHost 0x13e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46c6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7988d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10045:$a: NanoCore 0x10055:$a: NanoCore 0x10289:$a: NanoCore 0x1029d:$a: NanoCore 0x102dd:$a: NanoCore 0x42e65:$a: NanoCore 0x42e75:$a: NanoCore 0x430a9:$a: NanoCore 0x430bd:$a: NanoCore 0x430fd:$a: NanoCore 0x75a85:$a: NanoCore 0x75a95:$a: NanoCore 0x75cc9:$a: NanoCore 0x75cdd:$a: NanoCore 0x75d1d:$a: NanoCore 0x100a4:$b: ClientPlugin 0x102a6:$b: ClientPlugin 0x102e6:$b: ClientPlugin 0x42ec4:$b: ClientPlugin 0x430c6:$b: ClientPlugin 0x43106:$b: ClientPlugin
0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42ee5:$a: NanoCore 0x42f3e:$a: NanoCore 0x42f7b:$a: NanoCore 0x42ff4:$a: NanoCore 0x5669f:$a: NanoCore 0x566b4:$a: NanoCore 0x566e9:$a: NanoCore 0x6f173:$a: NanoCore 0x6f188:$a: NanoCore 0x6f1bd:$a: NanoCore 0x42f47:$b: ClientPlugin 0x42f84:$b: ClientPlugin 0x43882:$b: ClientPlugin 0x4388f:$b: ClientPlugin 0x5645b:$b: ClientPlugin 0x56476:$b: ClientPlugin 0x564a6:$b: ClientPlugin 0x566bd:$b: ClientPlugin 0x566f2:$b: ClientPlugin 0x6ef2f:$b: ClientPlugin 0x6ef4a:$b: ClientPlugin
Process Memory Space: shipping order.exe PID: 5732	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x147824:$x1: NanoCore.ClientPluginHost 0x205906:$x1: NanoCore.ClientPluginHost 0x257e92:$x1: NanoCore.ClientPluginHost 0x25da51:$x1: NanoCore.ClientPluginHost 0x26e8d3:$x1: NanoCore.ClientPluginHost 0x147885:$x2: IClientNetworkHost 0x20592c:$x2: IClientNetworkHost 0x257eb8:$x2: IClientNetworkHost 0x25da96:$x2: IClientNetworkHost 0x26e918:$x2: IClientNetworkHost 0x14cc8a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15abfc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: shipping order.exe PID: 5732	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: shipping order.exe PID: 5732	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x147329:$a: NanoCore 0x147345:$a: NanoCore 0x1474a0:$a: NanoCore 0x1474af:$a: NanoCore 0x147788:$a: NanoCore 0x1477b4:$a: NanoCore 0x147824:$a: NanoCore 0x157266:$a: NanoCore 0x157278:$a: NanoCore 0x1572b4:$a: NanoCore 0x1f83e3:$a: NanoCore 0x1f844a:$a: NanoCore 0x1f84ed:$a: NanoCore 0x2057f8:$a: NanoCore 0x205899:$a: NanoCore 0x205906:$a: NanoCore 0x2059c7:$a: NanoCore 0x206898:$a: NanoCore 0x2068eb:$a: NanoCore 0x206924:$a: NanoCore 0x206997:$a: NanoCore
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
30.2.shipping order.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.2.shipping order.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.2.shipping order.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.shipping order.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\shipping order.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Powershell adding suspicious path to exclusion list

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\shipping order.exe' , ParentImage: C:\Users\user\Desktop\shipping order.exe, ParentProcessId: 5316, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force, ProcessId: 1000

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: shipping order.exe.5732.30.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["311.10.11.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: shipping order.exe	Virustotal: Detection: 34%			Perma Link
Source: shipping order.exe	ReversingLabs: Detection: 30%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY
Source: Yara match	File source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: shipping order.exe

Joe Sandbox ML: detected

Source: shipping order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49730 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49741 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49759 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49765 version: TLS 1.0

Source: shipping order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.349471169.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\shipping order.PDB8 source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbezi source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbe source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: shipping order.PDB" source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp
Source:	Binary string: System.Xml.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp, shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: oft.VisualBasic.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp, shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: version.pdbi source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb= source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe{ source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp, shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: w.pdb source: shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbk source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb3 source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: ic.pdbW source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: shipping order.exe, 0000001B.00000002.598463851.00000000013F4000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb{ source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdboto source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb6e8 source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbel source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: shipping order.PDB source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

IPs: 311.10.11.15

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.5:49731 -> 194.5.97.173:10004

Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49730 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49741 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49759 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49765 version: TLS 1.0

Source: unknown

DNS traffic detected: queries for: pastebin.com

Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000005.00000002.593882725.00000000037A6000.00000004.00000020.sdmp, powershell.exe, 00000006.00000003.527145991.00000000032F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png$6
Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngt
Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.605732034.000000000531E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: shipping order.exe, 00000000.00000002.611055849.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.601882305.0000000004751000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.600388750.0000000004821000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.600934151.00000000051E1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.597635539.0000000004C21000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.484012193.00000000030D1000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.605222974.0000000002FE1000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.605732034.000000000531E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$6
Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlt
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester$6
Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pestert
Source: powershell.exe, 00000001.00000003.505791219.0000000005105000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.531194458.0000000005B92000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: shipping order.exe, 00000000.00000002.629479307.0000000003550000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.532866722.000000000371A000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.623796584.000000000362A000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/W63zsRav
Source: shipping order.exe, 00000000.00000002.629479307.0000000003550000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.532866722.000000000371A000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.623796584.000000000362A000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com4
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 00000000.00000002.630060439.0000000003583000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535947107.000000000379F000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.536440471.00000000037A3000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.625432894.00000000036AF000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.625572593.00000000036B3000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625898759.0000000003413000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: shipping order.exe, 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY
Source: Yara match	File source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: shipping order.exe

Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_01410040
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0141F0B8
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0141F988
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_01410E90
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0141ED70
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0155A200
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0155EDB8
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0155F468
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_0155A1EF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005DE068
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005DE068
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005DBD38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005D4D28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EF390
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E9540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E6728
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EB938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EDA20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EBEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E8190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E6718
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EB938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E9D70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00835888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0083BAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_008374D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00830040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0083BAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0083BAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00835888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00E4AF89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00E475E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00E475F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00E4AFE8
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_016E0040
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_016EF0B8
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_016EF988
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_016E0E90
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_016EED70
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_02F8A200
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_02F8F468
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_02F8EDB8
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_02F8A1EF
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 27_2_016DF0B8
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 27_2_016DF988
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 27_2_016DED70

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616

Source: shipping order.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: shipping order.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: shipping order.exe, 00000000.00000002.610663705.0000000002E90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs shipping order.exe
Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs shipping order.exe
Source: shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs shipping order.exe
Source: shipping order.exe, 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebfba bbe.exe2 vs shipping order.exe
Source: shipping order.exe, 0000000E.00000002.625130953.0000000005650000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs shipping order.exe
Source: shipping order.exe, 0000001B.00000002.598067590.00000000013CA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs shipping order.exe
Source: shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs shipping order.exe
Source: shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs shipping order.exe
Source: shipping order.exe, 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs shipping order.exe
Source: shipping order.exe, 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs shipping order.exe
Source: shipping order.exe, 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs shipping order.exe
Source: shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs shipping order.exe

Source: shipping order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb=
Source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp	Binary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb6e8
Source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@55/23@26/5

Source: C:\Users\user\Desktop\shipping order.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: C:\Users\user\Desktop\shipping order.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
Source: C:\Users\user\Desktop\shipping order.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{db5d3893-53a7-40c5-9e07-c472ba23289f}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316

Source: C:\Users\user\Desktop\shipping order.exe

File created: C:\Users\user\AppData\Local\Temp\028a5345-3ada-4536-b4b8-e5892a029a73

Jump to behavior

Source: shipping order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\shipping order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\shipping order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\shipping order.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\shipping order.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\shipping order.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\shipping order.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: shipping order.exe	Virustotal: Detection: 34%
Source: shipping order.exe	ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\shipping order.exe

File read: C:\Users\user\Desktop\shipping order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
Source: unknown	Process created: C:\Users\user\Desktop\shipping order.exe C:\Users\user\Desktop\shipping order.exe
Source: unknown	Process created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Users\user\Desktop\shipping order.exe C:\Users\user\Desktop\shipping order.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\shipping order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\shipping order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: shipping order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: shipping order.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: shipping order.exe

Static file information: File size 2814976 > 1048576

Source: shipping order.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x286400

Source: shipping order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.349471169.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\shipping order.PDB8 source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbezi source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbe source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: shipping order.PDB" source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp
Source:	Binary string: System.Xml.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp, shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: oft.VisualBasic.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp, shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: version.pdbi source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb= source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe{ source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp, shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: w.pdb source: shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbk source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb3 source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: ic.pdbW source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: shipping order.exe, 0000001B.00000002.598463851.00000000013F4000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb{ source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdboto source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb6e8 source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbel source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
Source:	Binary string: shipping order.PDB source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp

Source: shipping order.exe	Static PE information: real checksum: 0x295f91 should be: 0x2b7180
Source: shipping order.exe.0.dr	Static PE information: real checksum: 0x295f91 should be: 0x2b7180

Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_01552190 pushad ; ret
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_01553190 pushad ; retf
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 0_2_01553990 pushad ; iretd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005D9020 push eax; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005D58D8 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005D6090 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005D6080 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_008327D8 push esp; ret
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_02F83190 pushad ; retf
Source: C:\Users\user\Desktop\shipping order.exe	Code function: 14_2_02F83990 pushad ; iretd

Source: C:\Users\user\Desktop\shipping order.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe			Jump to dropped file
Source: C:\Users\user\Desktop\shipping order.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\shipping order.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell

Jump to behavior

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\Desktop\shipping order.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order.exe			Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\shipping order.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe

Jump to dropped file

Source: C:\Users\user\Desktop\shipping order.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe

Jump to behavior

Source: C:\Users\user\Desktop\shipping order.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe			Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order.exe	Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order.exe	Jump to behavior
Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Source: C:\Users\user\Desktop\shipping order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\shipping order.exe

File opened: C:\Users\user\Desktop\shipping order.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\shipping order.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping order.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: shipping order.exe, 00000000.00000002.611055849.0000000002EB1000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.484012193.00000000030D1000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.605222974.0000000002FE1000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX
Source: shipping order.exe, 00000000.00000002.611055849.0000000002EB1000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.484012193.00000000030D1000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.605222974.0000000002FE1000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\shipping order.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\shipping order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\Desktop\shipping order.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
Source: C:\Users\user\Desktop\shipping order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Desktop\shipping order.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Desktop\shipping order.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\shipping order.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\shipping order.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\Desktop\shipping order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\shipping order.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2913
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1743
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3043
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1260
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2193
Source: C:\Users\user\Desktop\shipping order.exe	Window / User API: threadDelayed 6276
Source: C:\Users\user\Desktop\shipping order.exe	Window / User API: threadDelayed 1836

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4520	Thread sleep count: 2913 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1752	Thread sleep count: 1743 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456	Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -40000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep time: -40000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5624	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6272	Thread sleep count: 2180 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6272	Thread sleep count: 2193 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548	Thread sleep count: 61 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\Desktop\shipping order.exe TID: 3752	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\Desktop\shipping order.exe TID: 4440	Thread sleep time: -380000s >= -30000s

Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\shipping order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLP5CY_UEWin32_VideoControllerNK_TC844VideoController120060621000000.000000-00058.12389display.infMSBDAT7B6YFB4PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsLHAONUMK
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: VMWAREeButYesKeyn
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIx
Source: shipping order.exe, 0000000E.00000002.625130953.0000000005650000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	Binary or memory string: SC:\WINDOWS\system32\drivers\VBoxMouse.sysESOFTWARE\VMware, Inc.\VMware Tools
Source: WerFault.exe, 00000023.00000002.604941068.00000000050BB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: l&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLP5CY_UEWin32_VideoControllerNK_TC844VideoController120060621000000.000000-00058.12389display.infMSBDAT7B6YFB4PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsLHAONUMKM
Source: shipping order.exe, 0000000E.00000002.625130953.0000000005650000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: shipping order.exe, 0000000E.00000002.477108136.00000000012CF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp	Binary or memory string: vmwarex
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: VMWAREx
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: shipping order.exe, 00000000.00000002.611055849.0000000002EB1000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.484012193.00000000030D1000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.605222974.0000000002FE1000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: QEMUx
Source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLP5CY_UEWin32_VideoControllerNK_TC844VideoController120060621000000.000000-00058.12389display.infMSBDAT7B6YFB4PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsLHAONUMK\
Source: shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmp	Binary or memory string: KC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: shipping order.exe, 0000000E.00000002.625130953.0000000005650000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: shipping order.exe, 00000022.00000002.588669034.0000000001035000.00000004.00000020.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ms\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Toolsditions\Scsi Bus 0\Target Id 0\Logical Unit Id 0hic Provider\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize}\InprocServer32-B3CE-5E7582D8C9FA}\InprocServer32\REGISTR\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: l)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllni
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: l'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLP5CY_UEWin32_VideoControllerNK_TC844VideoController120060621000000.000000-00058.12389display.infMSBDAT7B6YFB4PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsLHAONUMK#g0
Source: shipping order.exe, 0000000E.00000002.625130953.0000000005650000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\shipping order.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping order.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\shipping order.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\shipping order.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\shipping order.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\shipping order.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\shipping order.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\shipping order.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\shipping order.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\shipping order.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\shipping order.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\shipping order.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\shipping order.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\shipping order.exe

Memory written: unknown base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Users\user\Desktop\shipping order.exe C:\Users\user\Desktop\shipping order.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\shipping order.exe	Process created: unknown unknown

Source: shipping order.exe, 0000001E.00000002.611115698.0000000003421000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: shipping order.exe, 00000000.00000002.608900109.0000000001950000.00000002.00000001.sdmp, shipping order.exe, 0000001E.00000002.605472616.0000000001DD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: shipping order.exe, 00000000.00000002.608900109.0000000001950000.00000002.00000001.sdmp, shipping order.exe, 0000001E.00000002.605472616.0000000001DD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: shipping order.exe, 00000000.00000002.608900109.0000000001950000.00000002.00000001.sdmp, shipping order.exe, 0000001E.00000002.605472616.0000000001DD0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: shipping order.exe, 00000000.00000002.608900109.0000000001950000.00000002.00000001.sdmp, shipping order.exe, 0000001E.00000002.605472616.0000000001DD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: shipping order.exe, 00000000.00000002.608900109.0000000001950000.00000002.00000001.sdmp, shipping order.exe, 0000001E.00000002.605472616.0000000001DD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Users\user\Desktop\shipping order.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Users\user\Desktop\shipping order.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Users\user\Desktop\shipping order.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Users\user\Desktop\shipping order.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Users\user\Desktop\shipping order.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Users\user\Desktop\shipping order.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation

Source: C:\Users\user\Desktop\shipping order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY
Source: Yara match	File source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: shipping order.exe, 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: shipping order.exe, 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: shipping order.exe, 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY
Source: Yara match	File source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Startup Items1	Startup Items1	Masquerading2	Input Capture11	Query Registry1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder421	Process Injection112	Virtualization/Sandbox Evasion25	LSASS Memory	Security Software Discovery431	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder421	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion25	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
shipping order.exe	35%	Virustotal		Browse
shipping order.exe	30%	ReversingLabs	Win32.Trojan.Wacatac
shipping order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	30%	ReversingLabs	Win32.Trojan.Wacatac
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe	30%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
30.2.shipping order.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.pngt	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png$6	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://pastebin.com4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
1.ispnano.dns-cloud.net	194.5.97.173	true	false		unknown
pastebin.com	104.23.99.190	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.pngt	powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pestert	powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester$6	powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.605732034.000000000531E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000003.505791219.0000000005105000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.531194458.0000000005B92000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pastebin.com/raw/W63zsRav	shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.605732034.000000000531E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png$6	powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pastebin.com4	shipping order.exe, 00000000.00000002.629479307.0000000003550000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.532866722.000000000371A000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.623796584.000000000362A000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html$6	powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	shipping order.exe, 00000000.00000002.611055849.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.601882305.0000000004751000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.600388750.0000000004821000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.600934151.00000000051E1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.597635539.0000000004C21000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.484012193.00000000030D1000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.605222974.0000000002FE1000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmp	false		high
http://pastebin.com	shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp	false		high
https://pastebin.com	shipping order.exe, 00000000.00000002.629479307.0000000003550000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.532866722.000000000371A000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.623796584.000000000362A000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlt	powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.23.99.190	unknown	United States	13335	CLOUDFLARENETUS	false
194.5.97.173	unknown	Netherlands	208476	DANILENKODE	false
104.23.98.190	unknown	United States	13335	CLOUDFLARENETUS	false
311.10.11.15	unknown	unknown	unknown	unknown	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337538
Start date:	08.01.2021
Start time:	18:30:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	shipping order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@55/23@26/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 93.2% Quality standard deviation: 8.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 23.210.248.85, 51.11.168.160, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 51.103.5.159, 20.54.26.129, 40.126.1.166, 40.126.1.130, 20.190.129.17, 20.190.129.160, 40.126.1.145, 40.126.1.142, 40.126.1.128, 20.190.129.130, 13.88.21.125, 40.88.32.150, 168.61.161.212, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:31:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\shipping order.exe
18:31:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run shipping order.exe C:\Users\user\Desktop\shipping order.exe
18:31:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\shipping order.exe
18:31:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run shipping order.exe C:\Users\user\Desktop\shipping order.exe
18:31:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe
18:32:09	API Interceptor	456x Sleep call for process: shipping order.exe modified
18:32:11	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
18:32:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
18:32:35	API Interceptor	155x Sleep call for process: powershell.exe modified
18:32:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
18:32:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.23.99.190	7fYoHeaCBG.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	r0QRptqiCl.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	JDgYMW0LHW.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	kigAlmMyB1.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	5T4Ykc0VSK.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	afvhKak0Ir.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	1KITgJnGbI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	DovV3LuJ6I.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	66f8F6WvC1.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PxwWcmbMC5.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	XnAJZR4NcN.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	uqXsQvWMnL.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	I8r7e1pqac.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VrR9J0FnSG.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	dEpoPWHmoI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	zZp3oXclum.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	aTZQZVVriQ.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	U23peRXm5Z.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	eXP2pYucWu.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	L6UBlWyCpV.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
194.5.97.173	shipping order#.exe	Get hash	malicious	Browse
104.23.98.190	b095b966805abb7df4ffddf183def880.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	E1Q0TjeN32.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	6YCl3ATKJw.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	Hjnb15Nuc3.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	JDgYMW0LHW.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	4av8Sn32by.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	5T4Ykc0VSK.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	afvhKak0Ir.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	T6OcyQsUsY.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	1KITgJnGbI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PxwWcmbMC5.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	XnAJZR4NcN.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PbTwrajNMX.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	22NO7gVJ7r.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	rE7DwszvrX.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VjPHSJkwr6.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	wf86K0dpOP.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VrR9J0FnSG.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	6C1MYmrVl1.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	aTZQZVVriQ.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
1.ispnano.dns-cloud.net	shipping order#.exe	Get hash	malicious	Browse	194.5.97.173
pastebin.com	shipping order#.exe	Get hash	malicious	Browse	104.23.98.190
	0IO1Or2045.exe	Get hash	malicious	Browse	104.23.98.190
	OVl2ydWZDb	Get hash	malicious	Browse	104.23.98.190
	PO20002106.exe	Get hash	malicious	Browse	104.23.99.190
	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.98.190
	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.99.190
	Ema.exe	Get hash	malicious	Browse	104.23.98.190
	Order_1101201918_AUTECH.exe	Get hash	malicious	Browse	104.23.99.190
	TOP URGENT RFQ 2021 Anson Yang.exe	Get hash	malicious	Browse	104.23.98.190
	sample details.exe	Get hash	malicious	Browse	104.23.99.190
	zrr4Nw19.exe	Get hash	malicious	Browse	104.23.99.190
	TF5wEGc1Fp.exe	Get hash	malicious	Browse	104.23.99.190
	image002933894HF8474H038RHF7.exe	Get hash	malicious	Browse	104.23.98.190
	IMG-PO-SCAN-DOCUMENTS-00HDU12.exe	Get hash	malicious	Browse	104.23.98.190
	ZdCDLe85.exe	Get hash	malicious	Browse	104.23.99.190
	IMAGE-SCAN-DOCUMENTS-002D.exe	Get hash	malicious	Browse	104.23.98.190
	NEW ORDER.pdf.exe	Get hash	malicious	Browse	104.23.99.190
	KnXebI2hpX.exe	Get hash	malicious	Browse	104.23.99.190
	httpscdndiscordappcomattachments785319022966997035791667564027052052aGBWK3jv8vMhTU3.exe	Get hash	malicious	Browse	104.23.99.190
	sz.exe	Get hash	malicious	Browse	104.23.99.190

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	shipping order#.exe	Get hash	malicious	Browse	194.5.97.173
	BL,IN&PL.exe	Get hash	malicious	Browse	194.5.97.206
	New PO.exe	Get hash	malicious	Browse	194.5.98.32
	Order Inquiry.exe	Get hash	malicious	Browse	194.5.97.235
	IMG 01-06-2021 93899283.exe	Get hash	malicious	Browse	194.5.97.177
	SWIFT345343445pdf.exe	Get hash	malicious	Browse	194.5.97.164
	DHL1.exe	Get hash	malicious	Browse	194.5.98.145
	Original BL_pdf.exe	Get hash	malicious	Browse	194.5.97.107
	AWB & CI_pdf.exe	Get hash	malicious	Browse	194.5.97.107
	File.exe	Get hash	malicious	Browse	194.5.98.108
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	194.5.98.215
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	INV_2021354783263530001.exe	Get hash	malicious	Browse	194.5.98.211
	SWB copy.exe	Get hash	malicious	Browse	194.5.98.108
	DHL FI.exe	Get hash	malicious	Browse	194.5.98.145
CLOUDFLARENETUS	shipping order#.exe	Get hash	malicious	Browse	104.23.98.190
	0939489392303224233.exe	Get hash	malicious	Browse	162.159.128.233
	KeyMaker.exe	Get hash	malicious	Browse	1.0.0.0
	b12d7feb3507461a.exe	Get hash	malicious	Browse	162.159.138.232
	ARCH_2021.doc	Get hash	malicious	Browse	172.67.141.14
	SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exe	Get hash	malicious	Browse	162.159.137.232
	0IO1Or2045.exe	Get hash	malicious	Browse	104.23.98.190
	y46XVvLaVc.exe	Get hash	malicious	Browse	172.67.166.210
	FTH2004-005.exe	Get hash	malicious	Browse	23.227.38.74
	inv.exe	Get hash	malicious	Browse	104.27.152.121
	promotion.exe	Get hash	malicious	Browse	104.27.201.87
	ul9kpUwYel.xls	Get hash	malicious	Browse	104.22.1.232
	F6D24k8j9o.exe	Get hash	malicious	Browse	104.28.5.151
	36.exe	Get hash	malicious	Browse	104.28.8.109
	IKWSLxGlrQ.exe	Get hash	malicious	Browse	172.67.188.154
	https://bit.ly/35cYpiT	Get hash	malicious	Browse	104.16.18.94
	https://new-fax-messages.mydopweb.com/	Get hash	malicious	Browse	104.16.18.94
	https://www.food4rhino.com/app/human	Get hash	malicious	Browse	104.16.18.94
	OKU-010920 SCQ-220920.doc	Get hash	malicious	Browse	104.24.113.40
	https://www.food4rhino.com/app/elefront	Get hash	malicious	Browse	104.16.18.94
CLOUDFLARENETUS	shipping order#.exe	Get hash	malicious	Browse	104.23.98.190
	0939489392303224233.exe	Get hash	malicious	Browse	162.159.128.233
	KeyMaker.exe	Get hash	malicious	Browse	1.0.0.0
	b12d7feb3507461a.exe	Get hash	malicious	Browse	162.159.138.232
	ARCH_2021.doc	Get hash	malicious	Browse	172.67.141.14
	SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exe	Get hash	malicious	Browse	162.159.137.232
	0IO1Or2045.exe	Get hash	malicious	Browse	104.23.98.190
	y46XVvLaVc.exe	Get hash	malicious	Browse	172.67.166.210
	FTH2004-005.exe	Get hash	malicious	Browse	23.227.38.74
	inv.exe	Get hash	malicious	Browse	104.27.152.121
	promotion.exe	Get hash	malicious	Browse	104.27.201.87
	ul9kpUwYel.xls	Get hash	malicious	Browse	104.22.1.232
	F6D24k8j9o.exe	Get hash	malicious	Browse	104.28.5.151
	36.exe	Get hash	malicious	Browse	104.28.8.109
	IKWSLxGlrQ.exe	Get hash	malicious	Browse	172.67.188.154
	https://bit.ly/35cYpiT	Get hash	malicious	Browse	104.16.18.94
	https://new-fax-messages.mydopweb.com/	Get hash	malicious	Browse	104.16.18.94
	https://www.food4rhino.com/app/human	Get hash	malicious	Browse	104.16.18.94
	OKU-010920 SCQ-220920.doc	Get hash	malicious	Browse	104.24.113.40
	https://www.food4rhino.com/app/elefront	Get hash	malicious	Browse	104.16.18.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	shipping order#.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	F6D24k8j9o.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	umOXxQ9PFS.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	IKWSLxGlrQ.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Softerra Adaxes 2011.3.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	DSj7ak0N6I.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	3AD78RVleO.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	rFUaUAKfPi.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	QWP-0716.xls.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	invoice-ID3626307348012.vbs	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	xPcTV1mh3w.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	SecuriteInfo.com.Trojan.GenericKD.36004001.8844.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Manager[1].exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	PO20002106.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Payment Documents.xls	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	QPI-01458.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	LITmNphcCA.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	HSBC Payment Advice - HSBC67628473234[20201412].exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Ema.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Setup_6953.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\shipping order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2814976
Entropy (8bit):	3.789835376583671
Encrypted:	false
SSDEEP:	24576:H+x252KxvT7AGiQo6wvooXWR6p7fsqMPDTl2LRVa4IdO3Y9RpQ7aw7L9gLWg4cTg:uce6kaPDToi4IdWY67awV
MD5:	B87925C7EB04ED03B7D1B9A5A39358D8
SHA1:	CFF199D7A3B2ECB1D5A6C2BA48DE92901789CFDA
SHA-256:	8DAA3B16B15DD52FFB99EB0644B52712D889FE9528F8633DD16B4B405B017130
SHA-512:	0E9ACF9FDE99FC48DDA2C878474D53716F4D574B2E488B4A80B96A9692F97A620EFE9E14C7E1AB5C74C85808D2D38EF465CB489E210D0FE92DC1A3E6B35CF128
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."._.................d(..........(.. ....(...@.. .......................`+......_)...@...................................(.W.....(.P............h(.@....@+...................................................... ............... ..H............text....b(.. ...d(................. ..`.rsrc...P.....(......f(.............@..@.reloc.......@+....................@..B..................(.....H.............'.....\|.....................................................r...p.....r...p.....r...p.....s.........s}........6.~....o....&....(....~~....:....(....s%........~..... .........90...(....9........r.!p....((...()...........(.......2rZ.!p.(....2r..!p.(....2r..!p.(....2r.!p.(....2r..!p.(....2r..!p.(....2r@.!p.(....2rj.!p.(....2r..!p.(....2r..!p.(....2r.!p.(....2r..!p.(....2r2.!p.(....2rj.!p.(....2r..!p.(....2r..!p.(....2r..!p.(....*2r,.!p

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\shipping order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE82.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8426
Entropy (8bit):	3.6922006885436494
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNikr6OV6YI3SUr9jgmfZDS1Cpr+89b+nJsfcqm:RrlsNi46i6YISUr9jgmfdS6+nifg
MD5:	8EC773920127CC70F684748F39D8DAAD
SHA1:	CD5FD0A9A8ABE65ED06188888F64CE791B024680
SHA-256:	5A6DDEDFC55668F4A559468FAE73D73FD3D5ADCE762DBA4E8B95111345164B81
SHA-512:	E1F1855E0DAB014B73C3258C5CDA6B6F5301CBC659D63EE45DF17CB68B1AB970EBCAC9F212166ECC2C16DA020A2689CAF8CD7264CF9741EAA20430A8F079E8E2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE9A.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 9 02:33:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	338103
Entropy (8bit):	3.7458438738028703
Encrypted:	false
SSDEEP:	3072:9PG70bjd+pwlutLhDt9gIOgF51/kFyn90WcUCgUjTbDe9ogzalRXbUSTgg0:I0kpLB9RpDyo4TjrDgYRXbur
MD5:	2EC60CA587726F042C3CD401E0EF5692
SHA1:	374DE035094A361FC7B99378A83EC2C98B6C06C5
SHA-256:	F64A3E5E34AD3C009B0834F8446BE1B17F0721457320F65FBBD74800BD805A24
SHA-512:	C15532FDEF826F31925000128DFFD33B8791A510BCD55E6E6F5B4688223EFF1CE1958D5255208DECFBCB579D7E480CC75AB4D9A57B62FBF099FBC46F5A16A8F8
Malicious:	false
Preview:	MDMP....... .........._...................U...........B.......1......GenuineIntelW...........T...........q.._.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11132
Entropy (8bit):	4.965005105667347
Encrypted:	false
SSDEEP:	192:cdcU6Clib41xoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smc/:cib4kBVoGIpN6KQkj2Wkjh4iUxQedNYH
MD5:	C6B0EDFC1B773A7775BEAE3A2A814653
SHA1:	7A09CD0BFF6B2BC665A2ECAC3144D65ABE89557A
SHA-256:	E576F7164C30F8660E7AD2BF38D312E25812A70481BBB7F2172A3C490AADFB2B
SHA-512:	FE668205C21F0C642DEB54F8F49AD9F8E356A15791C4D9357B7EEC70D11FA0DDB45648600B75887B800021494922E662F0655EC12E5F55C1788DC5F9459B0241
Malicious:	false
Preview:	PSMODULECACHE......w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..8.......C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ba2ypcd4.fal.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgie3wtq.dtl.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f13zkzre.whv.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gz3jep32.ccp.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtqpnezb.p40.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdzbntk1.vuf.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiyw5ytt.diz.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydljvnmn.obz.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\shipping order.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:ljRP:X
MD5:	96E6C1FC9F7B152A7AB7EAFEE82C876D
SHA1:	674DBA932D7804065B1391A4D9BD7B6F4D60C1C8
SHA-256:	E4C81288F17ED0B30D27269F9AA7EC6092DF62FEBE87398176B6BF151E23C8FD
SHA-512:	0EBAF091488C3478F50D94B33CE69A6D82C104FB874257754AB29CB8D0D2417EE57D6C3D984BA3A0D2E8B845F4CBCD59C243F3770ADF76E485101983DFBA355F
Malicious:	true
Preview:	.Rv.F..H

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe Download File
Process:	C:\Users\user\Desktop\shipping order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2814976
Entropy (8bit):	3.789835376583671
Encrypted:	false
SSDEEP:	24576:H+x252KxvT7AGiQo6wvooXWR6p7fsqMPDTl2LRVa4IdO3Y9RpQ7aw7L9gLWg4cTg:uce6kaPDToi4IdWY67awV
MD5:	B87925C7EB04ED03B7D1B9A5A39358D8
SHA1:	CFF199D7A3B2ECB1D5A6C2BA48DE92901789CFDA
SHA-256:	8DAA3B16B15DD52FFB99EB0644B52712D889FE9528F8633DD16B4B405B017130
SHA-512:	0E9ACF9FDE99FC48DDA2C878474D53716F4D574B2E488B4A80B96A9692F97A620EFE9E14C7E1AB5C74C85808D2D38EF465CB489E210D0FE92DC1A3E6B35CF128
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."._.................d(..........(.. ....(...@.. .......................`+......_)...@...................................(.W.....(.P............h(.@....@+...................................................... ............... ..H............text....b(.. ...d(................. ..`.rsrc...P.....(......f(.............@..@.reloc.......@+....................@..B..................(.....H.............'.....\|.....................................................r...p.....r...p.....r...p.....s.........s}........6.~....o....&....(....~~....:....(....s%........~..... .........90...(....9........r.!p....((...()...........(.......2rZ.!p.(....2r..!p.(....2r..!p.(....2r.!p.(....2r..!p.(....2r..!p.(....2r@.!p.(....2rj.!p.(....2r..!p.(....2r..!p.(....2r.!p.(....2r..!p.(....2r2.!p.(....2rj.!p.(....2r..!p.(....2r..!p.(....2r..!p.(....*2r,.!p

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\shipping order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210108\PowerShell_transcript.579569.7jdhcRPS.20210108183127.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	856
Entropy (8bit):	5.2862634087649925
Encrypted:	false
SSDEEP:	24:BxSAvDvBBMQG+x2DOXUWeSuVbrWWHjeTKKjX4CIym1ZJXTuVbj:BZ7v/dZoO+SmbCWqDYB1Z1mbj
MD5:	60249CEB6B2D32ED65B2A4C6974C0014
SHA1:	92F686A6F8321E10ADE8C64E7B64513F6AA4C4A8
SHA-256:	0807E171D8C560105B33F3C3A460186574B50A0CA80C9E0C0C244DCF0035E154
SHA-512:	EF91EAA398A8B6DBDABF2D9C3B2DA0A94CB6183E29995568C2CA4CE4084F43EB709D391B656BCC5E765434AA4B97A82574E9C92A54254F339F55FE1E5B9B0CD2
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210108183203..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 579569 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\shipping order.exe -Force..Process ID: 4600..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210108183203..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\shipping order.exe -Force..

C:\Users\user\Documents\20210108\PowerShell_transcript.579569.BT05d3d0.20210108183125.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.3050186988842345
Encrypted:	false
SSDEEP:	24:BxSAQDvBBMQG+x2DOXUWeSuvuVM5rWhHjeTKKjX4CIym1ZJXTuvuVM5j:BZ8v/dZoO+SsuaChqDYB1Z1suaj
MD5:	7B01E2AC36A3A397BBC6AF73914CB3FF
SHA1:	16E2AAE1940290466BEBA7E3D441D6B4BB8B532A
SHA-256:	23AFD81F7ED132506BA8BD66798D1D2467BE4F9E4409991565ADB21520F41B98
SHA-512:	803109B0B6BB9A58A5B20797BEAFCB5AA2214818866270D2078B4ADE9B6B69624BFD569E4FB3B120DC68E0F57D047B1CAE1311B7E6BB4C72A35AC20A515D937E
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210108183202..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 579569 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe -Force..Process ID: 768..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210108183203..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe -Force..

C:\Users\user\Documents\20210108\PowerShell_transcript.579569.c+4r7aH8.20210108183126.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	964
Entropy (8bit):	5.306681687338691
Encrypted:	false
SSDEEP:	24:BxSA9DvBBMQG+x2DOXUWeSuvuVM5rWFHjeTKKjX4CIym1ZJXYuvuVM5j:BZFv/dZoO+SsuaCFqDYB1ZOsuaj
MD5:	300C91800B2E2CB773080AEBB3B6B874
SHA1:	CE1346830CB70E5097D64D61FB625903C3022CE8
SHA-256:	5E84C5E2696DF2125EFD5D84A8986CF89032694300A6C373E10DC39CE176931D
SHA-512:	EE5C159307E4B91AFD3E85A61D79F20030523AF3F80328E10D5D6D8F89F6F2854F5E7B3604FD98B57856A5EC372989445963D251CD9F33614E8617532FE6632F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210108183205..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 579569 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe -Force..Process ID: 4724..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210108183208..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe -Force..

C:\Users\user\Documents\20210108\PowerShell_transcript.579569.hrKQHeuP.20210108183125.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	964
Entropy (8bit):	5.298122737331953
Encrypted:	false
SSDEEP:	24:BxSAvDvBBMQG+x2DOXUWeSuvuVM5rWbHjeTKKjX4CIym1ZJXzuvuVM5j:BZ7v/dZoO+SsuaCbqDYB1ZRsuaj
MD5:	8749A289EB6E272172CDEE32BEA16BE8
SHA1:	B3D5C116852223D6355DED220CC0CC601B2364E7
SHA-256:	4853F9119CB3554FAAA18B48116A808F2921E36E85501A49EC74527CD44990AA
SHA-512:	D8C7FC594F24A631E1BADFDAFDB57BB6C431BC48B62998B5A226BDC7CE57A29061792A9F4E5DDC2389BE37AB1B507DA678FE4B31B34614F471BC2B802BB7E21B
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210108183157..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 579569 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe -Force..Process ID: 1000..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210108183157..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe -Force..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.789835376583671
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shipping order.exe
File size:	2814976
MD5:	b87925c7eb04ed03b7d1b9a5a39358d8
SHA1:	cff199d7a3b2ecb1d5a6c2ba48de92901789cfda
SHA256:	8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
SHA512:	0e9acf9fde99fc48dda2c878474d53716f4d574b2e488b4a80b96a9692f97a620efe9e14c7e1ab5c74c85808d2d38ef465cb489e210d0fe92dc1a3e6b35cf128
SSDEEP:	24576:H+x252KxvT7AGiQo6wvooXWR6p7fsqMPDTl2LRVa4IdO3Y9RpQ7aw7L9gLWg4cTg:uce6kaPDToi4IdWY67awV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."._.................d(...........(.. ....(...@.. .......................`+......_)...@................................

File Icon


Icon Hash:	07d8d8d4d4d85026

Static PE Info

General
Entrypoint:	0x6882de
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FF822B7 [Fri Jan 8 09:15:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x288284	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28a000	0x28a50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x286800	0x1540	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2862e4	0x286400	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x28a000	0x28a50	0x28c00	False	0.0466233703988	Macintosh MFS data (locked) created: Mon Apr 24 18:35:32 2017, last backup: Mon May 29 23:14:11 1995, block size: 2110829513, number of blocks: 17063, volume name: \246\330	2.97289655472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2b4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x28a268	0xc35	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x28aea0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4280119364, next used block 4280119364
RT_ICON	0x29b6c8	0x94a8	data
RT_ICON	0x2a4b70	0x5488	data
RT_ICON	0x2a9ff8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x2ae220	0x25a8	data
RT_ICON	0x2b07c8	0x10a8	data
RT_ICON	0x2b1870	0x988	data
RT_ICON	0x2b21f8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2b2660	0x84	data
RT_VERSION	0x2b26e4	0x36c	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	IObit. All rights reserved.
FileVersion	13.0.0.49
CompanyName	IObit
LegalTrademarks	IObit
Comments	Advanced SystemCare Auto Sweep
ProductName	Advanced SystemCare
ProductVersion	13.0.0.49
FileDescription	Advanced SystemCare Auto Sweep
Guid	60b42ce5-df88-4b71-bf45-a33744fcf42a
Translation	0x0000 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 18:31:24.376733065 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.416979074 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.417165041 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.461075068 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.501216888 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.504751921 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.504825115 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.504842997 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.504998922 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.511009932 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.551047087 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.551167011 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.591161966 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.618511915 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:31:24.658757925 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.666969061 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.667009115 CET	443	49710	104.23.99.190	192.168.2.5
Jan 8, 2021 18:31:24.667113066 CET	49710	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:18.068780899 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.109169960 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.109307051 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.348174095 CET	49731	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:18.350944996 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.391020060 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.393731117 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.393800020 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.393842936 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.393867970 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.397357941 CET	10004	49731	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:18.398782969 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.438940048 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.442034006 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.501873016 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.546454906 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:18.586724043 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.596575022 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.596632004 CET	443	49730	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:18.596720934 CET	49730	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:19.001941919 CET	49731	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:19.051101923 CET	10004	49731	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:19.689558983 CET	49731	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:19.739985943 CET	10004	49731	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:22.601443052 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.641594887 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.641721010 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.666995049 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.707395077 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.711358070 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.711397886 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.711416960 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.711523056 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.717020035 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.757294893 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.757844925 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.799159050 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.833534002 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:22.873955965 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.884177923 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.884222031 CET	443	49733	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:22.884385109 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:28.804842949 CET	49734	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:28.854245901 CET	10004	49734	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:29.502758980 CET	49734	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:29.551991940 CET	10004	49734	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:30.096587896 CET	49734	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:30.148751020 CET	10004	49734	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:36.389797926 CET	49735	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:36.439270973 CET	10004	49735	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:36.940993071 CET	49735	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:36.990786076 CET	10004	49735	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:37.503479958 CET	49735	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:37.553141117 CET	10004	49735	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:39.184977055 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:39.225265980 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.225397110 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:39.228811979 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:39.269016027 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.272711992 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.272732019 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.272748947 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.272902012 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:39.274951935 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:39.314965010 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.315071106 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.324415922 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:39.364463091 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.374560118 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.374582052 CET	443	49736	104.23.99.190	192.168.2.5
Jan 8, 2021 18:32:39.374672890 CET	49736	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:45.552649975 CET	49739	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:45.601923943 CET	10004	49739	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:46.048881054 CET	49733	443	192.168.2.5	104.23.99.190
Jan 8, 2021 18:32:46.191664934 CET	49739	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:46.240972042 CET	10004	49739	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:46.801114082 CET	49739	10004	192.168.2.5	194.5.97.173
Jan 8, 2021 18:32:46.850738049 CET	10004	49739	194.5.97.173	192.168.2.5
Jan 8, 2021 18:32:49.431197882 CET	49741	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:49.471458912 CET	443	49741	104.23.98.190	192.168.2.5
Jan 8, 2021 18:32:49.471576929 CET	49741	443	192.168.2.5	104.23.98.190
Jan 8, 2021 18:32:49.474611998 CET	49741	443	192.168.2.5	104.23.98.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 18:31:06.226120949 CET	54795	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:06.279073000 CET	53	54795	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:24.266156912 CET	49557	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:24.322529078 CET	53	49557	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:27.427134037 CET	61733	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:27.478928089 CET	53	61733	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:31.195940018 CET	65447	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:31.252470970 CET	53	65447	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:31.336635113 CET	52441	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:31.387371063 CET	53	52441	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:32.702754021 CET	62176	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:32.751205921 CET	53	62176	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:34.036644936 CET	59596	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:34.084470987 CET	53	59596	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:35.387299061 CET	65296	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:35.438033104 CET	53	65296	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:36.773515940 CET	63183	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:36.821496964 CET	53	63183	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:37.973342896 CET	60151	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:38.021277905 CET	53	60151	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:38.271847010 CET	56969	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:38.319643021 CET	53	56969	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:39.546310902 CET	55161	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:39.605269909 CET	53	55161	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:40.817363024 CET	54757	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:40.865215063 CET	53	54757	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:42.007613897 CET	49992	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:42.066764116 CET	53	49992	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:45.160653114 CET	60075	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:45.221355915 CET	53	60075	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:55.171797037 CET	55016	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:55.228377104 CET	53	55016	8.8.8.8	192.168.2.5
Jan 8, 2021 18:31:56.668503046 CET	64345	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:31:56.725179911 CET	53	64345	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:17.367624998 CET	57128	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:17.432390928 CET	53	57128	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:17.951802015 CET	54791	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:18.008084059 CET	53	54791	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:19.266114950 CET	50463	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:19.341434002 CET	53	50463	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:22.457204103 CET	50394	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:22.515639067 CET	53	50394	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:28.671607018 CET	58530	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:28.722496986 CET	53	58530	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:36.312988997 CET	53813	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:36.363810062 CET	53	53813	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:39.118150949 CET	63732	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:39.174691916 CET	53	63732	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:42.164417982 CET	57344	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:42.225449085 CET	53	57344	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:44.022420883 CET	54450	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:44.070389986 CET	53	54450	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:45.399282932 CET	59261	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:45.450463057 CET	53	59261	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:45.767371893 CET	57151	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:45.815238953 CET	53	57151	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:49.339917898 CET	59413	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:49.396167994 CET	53	59413	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:52.339349985 CET	60516	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:52.387439013 CET	53	60516	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:54.668682098 CET	51649	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:54.725019932 CET	53	51649	8.8.8.8	192.168.2.5
Jan 8, 2021 18:32:58.219737053 CET	65086	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:32:58.277734995 CET	53	65086	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:01.507724047 CET	56432	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:01.564433098 CET	53	56432	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:01.947154045 CET	52929	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:01.995008945 CET	53	52929	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:02.171906948 CET	64317	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:02.219821930 CET	53	64317	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:03.881963015 CET	61004	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:03.949186087 CET	53	61004	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:07.594350100 CET	56895	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:07.642417908 CET	53	56895	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:07.713891029 CET	62372	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:07.730717897 CET	61515	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:07.762573004 CET	53	62372	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:07.778650999 CET	53	61515	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:14.328829050 CET	56675	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:14.387923002 CET	53	56675	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:20.884196043 CET	57172	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:20.932195902 CET	53	57172	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:25.382311106 CET	55267	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:25.438584089 CET	53	55267	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:27.625704050 CET	50969	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:27.682338953 CET	53	50969	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:33.561655998 CET	64362	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:33.609699965 CET	53	64362	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:39.035249949 CET	54766	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:39.089112997 CET	53	54766	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:42.029217958 CET	61446	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:42.077615976 CET	53	61446	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:42.281184912 CET	57515	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:42.329241037 CET	53	57515	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:43.282241106 CET	58199	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:43.338522911 CET	53	58199	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:44.485451937 CET	65221	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:44.535326004 CET	53	65221	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:46.463371992 CET	61573	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:46.525743961 CET	53	61573	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:49.878412962 CET	56562	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:49.934824944 CET	53	56562	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:49.957849979 CET	53591	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:50.008671045 CET	53	53591	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:50.830368996 CET	59688	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:50.917220116 CET	53	59688	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:52.495915890 CET	56032	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:52.531183958 CET	61150	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:52.555049896 CET	53	56032	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:52.579680920 CET	53	61150	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:53.037260056 CET	63458	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:53.096657991 CET	53	63458	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:53.483895063 CET	50422	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:53.542552948 CET	53	50422	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:54.231245041 CET	53247	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:54.292819023 CET	53	53247	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:55.226639986 CET	58544	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:55.253365040 CET	53814	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:55.274454117 CET	53	58544	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:55.312272072 CET	53	53814	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:56.329108000 CET	51305	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:56.380157948 CET	53	51305	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:57.046292067 CET	53670	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:57.121478081 CET	53	53670	8.8.8.8	192.168.2.5
Jan 8, 2021 18:33:57.493902922 CET	55160	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:33:57.550358057 CET	53	55160	8.8.8.8	192.168.2.5
Jan 8, 2021 18:34:00.625790119 CET	61414	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:34:00.684886932 CET	53	61414	8.8.8.8	192.168.2.5
Jan 8, 2021 18:34:05.877055883 CET	63847	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:34:05.938656092 CET	53	63847	8.8.8.8	192.168.2.5
Jan 8, 2021 18:34:11.127619982 CET	61523	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:34:11.183722019 CET	53	61523	8.8.8.8	192.168.2.5
Jan 8, 2021 18:34:16.377371073 CET	50551	53	192.168.2.5	8.8.8.8
Jan 8, 2021 18:34:16.439781904 CET	53	50551	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 8, 2021 18:31:24.266156912 CET	192.168.2.5	8.8.8.8	0xb5d9	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:17.367624998 CET	192.168.2.5	8.8.8.8	0x9fbc	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:17.951802015 CET	192.168.2.5	8.8.8.8	0x9d37	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:22.457204103 CET	192.168.2.5	8.8.8.8	0xc0f5	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:28.671607018 CET	192.168.2.5	8.8.8.8	0x5b9d	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:36.312988997 CET	192.168.2.5	8.8.8.8	0x3f70	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:39.118150949 CET	192.168.2.5	8.8.8.8	0x6eb2	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:45.399282932 CET	192.168.2.5	8.8.8.8	0xc571	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:49.339917898 CET	192.168.2.5	8.8.8.8	0x4a4e	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:54.668682098 CET	192.168.2.5	8.8.8.8	0xef44	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:01.507724047 CET	192.168.2.5	8.8.8.8	0x9d5	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:07.594350100 CET	192.168.2.5	8.8.8.8	0xdc65	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:14.328829050 CET	192.168.2.5	8.8.8.8	0x9283	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:20.884196043 CET	192.168.2.5	8.8.8.8	0xa98e	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:25.382311106 CET	192.168.2.5	8.8.8.8	0x46f8	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:27.625704050 CET	192.168.2.5	8.8.8.8	0xb960	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:33.561655998 CET	192.168.2.5	8.8.8.8	0x69d5	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:39.035249949 CET	192.168.2.5	8.8.8.8	0xe8e	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:43.282241106 CET	192.168.2.5	8.8.8.8	0xcf54	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:44.485451937 CET	192.168.2.5	8.8.8.8	0x7d4	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:49.957849979 CET	192.168.2.5	8.8.8.8	0xbcc0	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:55.253365040 CET	192.168.2.5	8.8.8.8	0x43eb	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:00.625790119 CET	192.168.2.5	8.8.8.8	0x3792	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:05.877055883 CET	192.168.2.5	8.8.8.8	0xc60f	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:11.127619982 CET	192.168.2.5	8.8.8.8	0x2679	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:16.377371073 CET	192.168.2.5	8.8.8.8	0x194	Standard query (0)	1.ispnano.dns-cloud.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 8, 2021 18:31:24.322529078 CET	8.8.8.8	192.168.2.5	0xb5d9	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:31:24.322529078 CET	8.8.8.8	192.168.2.5	0xb5d9	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:17.432390928 CET	8.8.8.8	192.168.2.5	0x9fbc	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:18.008084059 CET	8.8.8.8	192.168.2.5	0x9d37	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:18.008084059 CET	8.8.8.8	192.168.2.5	0x9d37	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:22.515639067 CET	8.8.8.8	192.168.2.5	0xc0f5	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:22.515639067 CET	8.8.8.8	192.168.2.5	0xc0f5	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:28.722496986 CET	8.8.8.8	192.168.2.5	0x5b9d	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:36.363810062 CET	8.8.8.8	192.168.2.5	0x3f70	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:39.174691916 CET	8.8.8.8	192.168.2.5	0x6eb2	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:39.174691916 CET	8.8.8.8	192.168.2.5	0x6eb2	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:42.225449085 CET	8.8.8.8	192.168.2.5	0x137	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 8, 2021 18:32:45.450463057 CET	8.8.8.8	192.168.2.5	0xc571	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:49.396167994 CET	8.8.8.8	192.168.2.5	0x4a4e	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:49.396167994 CET	8.8.8.8	192.168.2.5	0x4a4e	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:32:54.725019932 CET	8.8.8.8	192.168.2.5	0xef44	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:01.564433098 CET	8.8.8.8	192.168.2.5	0x9d5	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:07.642417908 CET	8.8.8.8	192.168.2.5	0xdc65	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:14.387923002 CET	8.8.8.8	192.168.2.5	0x9283	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:20.932195902 CET	8.8.8.8	192.168.2.5	0xa98e	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:25.438584089 CET	8.8.8.8	192.168.2.5	0x46f8	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:25.438584089 CET	8.8.8.8	192.168.2.5	0x46f8	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:27.682338953 CET	8.8.8.8	192.168.2.5	0xb960	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:33.609699965 CET	8.8.8.8	192.168.2.5	0x69d5	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:39.089112997 CET	8.8.8.8	192.168.2.5	0xe8e	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:43.338522911 CET	8.8.8.8	192.168.2.5	0xcf54	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:43.338522911 CET	8.8.8.8	192.168.2.5	0xcf54	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:44.535326004 CET	8.8.8.8	192.168.2.5	0x7d4	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:50.008671045 CET	8.8.8.8	192.168.2.5	0xbcc0	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:33:55.312272072 CET	8.8.8.8	192.168.2.5	0x43eb	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:00.684886932 CET	8.8.8.8	192.168.2.5	0x3792	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:05.938656092 CET	8.8.8.8	192.168.2.5	0xc60f	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:11.183722019 CET	8.8.8.8	192.168.2.5	0x2679	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)
Jan 8, 2021 18:34:16.439781904 CET	8.8.8.8	192.168.2.5	0x194	No error (0)	1.ispnano.dns-cloud.net		194.5.97.173	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 8, 2021 18:31:24.504842997 CET	104.23.99.190	443	192.168.2.5	49710	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:31:24.504842997 CET	104.23.99.190	443	192.168.2.5	49710	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:18.393842936 CET	104.23.98.190	443	192.168.2.5	49730	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:18.393842936 CET	104.23.98.190	443	192.168.2.5	49730	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:22.711416960 CET	104.23.99.190	443	192.168.2.5	49733	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:22.711416960 CET	104.23.99.190	443	192.168.2.5	49733	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:39.272748947 CET	104.23.99.190	443	192.168.2.5	49736	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:39.272748947 CET	104.23.99.190	443	192.168.2.5	49736	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:49.520049095 CET	104.23.98.190	443	192.168.2.5	49741	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:32:49.520049095 CET	104.23.98.190	443	192.168.2.5	49741	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:33:26.442956924 CET	104.23.98.190	443	192.168.2.5	49759	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:33:26.442956924 CET	104.23.98.190	443	192.168.2.5	49759	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:33:43.452308893 CET	104.23.99.190	443	192.168.2.5	49765	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jan 8, 2021 18:33:43.452308893 CET	104.23.99.190	443	192.168.2.5	49765	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: shipping order.exe PID: 5316 Parent PID: 5708

General

Start time:	18:31:13
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\shipping order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping order.exe'
Imagebase:	0x7d0000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: powershell.exe PID: 1000 Parent PID: 5316

General

Start time:	18:31:22
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Imagebase:	0xfd0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 4668 Parent PID: 1000

General

Start time:	18:31:22
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 768 Parent PID: 5316

General

Start time:	18:31:22
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Imagebase:	0xfd0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 5996 Parent PID: 768

General

Start time:	18:31:23
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 4724 Parent PID: 5316

General

Start time:	18:31:23
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Imagebase:	0xfd0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 4600 Parent PID: 5316

General

Start time:	18:31:23
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
Imagebase:	0xfd0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 5680 Parent PID: 4724

General

Start time:	18:31:23
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5896 Parent PID: 4600

General

Start time:	18:31:23
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6292 Parent PID: 5316

General

Start time:	18:31:24
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6320 Parent PID: 6292

General

Start time:	18:31:25
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 6464 Parent PID: 6292

General

Start time:	18:31:25
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x3d0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: shipping order.exe PID: 6696 Parent PID: 3472

General

Start time:	18:31:32
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\shipping order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping order.exe'
Imagebase:	0x920000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: cmd.exe PID: 6728 Parent PID: 5316

General

Start time:	18:31:32
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6764 Parent PID: 6728

General

Start time:	18:31:33
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 6820 Parent PID: 6728

General

Start time:	18:31:33
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x3d0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 1688 Parent PID: 5316

General

Start time:	18:31:39
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4572 Parent PID: 1688

General

Start time:	18:31:39
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: shipping order.exe PID: 1624 Parent PID: 3472

General

Start time:	18:31:40
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\shipping order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping order.exe'
Imagebase:	0xa70000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: timeout.exe PID: 6460 Parent PID: 1688

General

Start time:	18:31:40
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x3d0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: shipping order.exe PID: 5860 Parent PID: 3472

General

Start time:	18:31:49
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\shipping order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping order.exe'
Imagebase:	0x6a0000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: shipping order.exe PID: 5732 Parent PID: 5316

General

Start time:	18:31:51
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\shipping order.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\shipping order.exe
Imagebase:	0xbd0000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Analysis Process: shipping order.exe PID: 6892 Parent PID: 3472

General

Start time:	18:31:58
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\shipping order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping order.exe'
Imagebase:	0x880000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: WerFault.exe PID: 5960 Parent PID: 5316

General

Start time:	18:31:59
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616
Imagebase:	0xd00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: shipping order.exe PID: 6436 Parent PID: 3472

General

Start time:	18:32:07
Start date:	08/01/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe'
Imagebase:	0xf10000
File size:	2814976 bytes
MD5 hash:	B87925C7EB04ED03B7D1B9A5A39358D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs

Analysis Process: powershell.exe PID: 5128 Parent PID: 6696

General

Start time:	18:32:12
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
Imagebase:	0xfd0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 5144 Parent PID: 5128

General

Start time:	18:32:13
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report shipping order.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre