Play interactive tour

Edit tour

Analysis Report zUEBMx2U10.exe

Overview

General Information

Sample Name:	zUEBMx2U10.exe
Analysis ID:	411703
MD5:	9b2b7acc05e281c17f978028722b51e9
SHA1:	9316ff35c185dcf3c80c2c3ab2ff55ff1076652a
SHA256:	92781fa0c501e4375f625a6e8379bbe8f0d7d42fd6699981233a044222e081d4
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

zUEBMx2U10.exe (PID: 6540 cmdline: 'C:\Users\user\Desktop\zUEBMx2U10.exe' MD5: 9B2B7ACC05E281C17F978028722B51E9)

powershell.exe (PID: 6768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6792 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6884 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7112 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5784 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

zUEBMx2U10.exe (PID: 2940 cmdline: C:\Users\user\Desktop\zUEBMx2U10.exe MD5: 9B2B7ACC05E281C17F978028722B51E9)

zUEBMx2U10.exe (PID: 3800 cmdline: C:\Users\user\Desktop\zUEBMx2U10.exe MD5: 9B2B7ACC05E281C17F978028722B51E9)

zUEBMx2U10.exe (PID: 6516 cmdline: C:\Users\user\Desktop\zUEBMx2U10.exe MD5: 9B2B7ACC05E281C17F978028722B51E9)

WerFault.exe (PID: 6876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6276 cmdline: 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' MD5: 9B2B7ACC05E281C17F978028722B51E9)

powershell.exe (PID: 3624 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6384 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6480 cmdline: 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' MD5: 9B2B7ACC05E281C17F978028722B51E9)

svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3224 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "backup july", "Domain1": "backupjuly.duckdns.org", "Domain2": "backupjuly.duckdns.org", "Port": 9090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10f25:$x1: NanoCore.ClientPluginHost 0x43d45:$x1: NanoCore.ClientPluginHost 0x10f62:$x2: IClientNetworkHost 0x43d82:$x2: IClientNetworkHost 0x14a95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x478b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10c8d:$a: NanoCore 0x10c9d:$a: NanoCore 0x10ed1:$a: NanoCore 0x10ee5:$a: NanoCore 0x10f25:$a: NanoCore 0x43aad:$a: NanoCore 0x43abd:$a: NanoCore 0x43cf1:$a: NanoCore 0x43d05:$a: NanoCore 0x43d45:$a: NanoCore 0x10cec:$b: ClientPlugin 0x10eee:$b: ClientPlugin 0x10f2e:$b: ClientPlugin 0x43b0c:$b: ClientPlugin 0x43d0e:$b: ClientPlugin 0x43d4e:$b: ClientPlugin 0x10e13:$c: ProjectData 0x43c33:$c: ProjectData 0x1181a:$d: DESCrypto 0x4463a:$d: DESCrypto 0x191e6:$e: KeepAlive
00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3bf7ed:$x1: NanoCore.ClientPluginHost 0x3bf82a:$x2: IClientNetworkHost 0x3c335d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bf555:$a: NanoCore 0x3bf565:$a: NanoCore 0x3bf799:$a: NanoCore 0x3bf7ad:$a: NanoCore 0x3bf7ed:$a: NanoCore 0x3bf5b4:$b: ClientPlugin 0x3bf7b6:$b: ClientPlugin 0x3bf7f6:$b: ClientPlugin 0x3bf6db:$c: ProjectData 0x3c00e2:$d: DESCrypto 0x3c7aae:$e: KeepAlive 0x3c5a9c:$g: LogClientMessage 0x3c1c97:$i: get_Connected 0x3c0418:$j: #=q 0x3c0448:$j: #=q 0x3c0464:$j: #=q 0x3c0494:$j: #=q 0x3c04b0:$j: #=q 0x3c04cc:$j: #=q 0x3c04fc:$j: #=q 0x3c0518:$j: #=q
Process Memory Space: zUEBMx2U10.exe PID: 6540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc56b8b:$x1: NanoCore.ClientPluginHost 0xc759d7:$x1: NanoCore.ClientPluginHost 0x1054efe:$x1: NanoCore.ClientPluginHost 0xc56bec:$x2: IClientNetworkHost 0xc75a38:$x2: IClientNetworkHost 0x1054f5f:$x2: IClientNetworkHost 0xc5bff1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc69f63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc7ae3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc88daf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x105a364:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10682d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: zUEBMx2U10.exe PID: 6540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: zUEBMx2U10.exe PID: 6540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc56690:$a: NanoCore 0xc566ac:$a: NanoCore 0xc56807:$a: NanoCore 0xc56816:$a: NanoCore 0xc56aef:$a: NanoCore 0xc56b1b:$a: NanoCore 0xc56b8b:$a: NanoCore 0xc665cd:$a: NanoCore 0xc665df:$a: NanoCore 0xc6661b:$a: NanoCore 0xc754dc:$a: NanoCore 0xc754f8:$a: NanoCore 0xc75653:$a: NanoCore 0xc75662:$a: NanoCore 0xc7593b:$a: NanoCore 0xc75967:$a: NanoCore 0xc759d7:$a: NanoCore 0xc85419:$a: NanoCore 0xc8542b:$a: NanoCore 0xc85467:$a: NanoCore 0x1054a03:$a: NanoCore
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42e9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x438a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 9 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\zUEBMx2U10.exe' , ParentImage: C:\Users\user\Desktop\zUEBMx2U10.exe, ParentProcessId: 6540, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force, ProcessId: 6768

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "backup july", "Domain1": "backupjuly.duckdns.org", "Domain2": "backupjuly.duckdns.org", "Port": 9090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Metadefender: Detection: 32%			Perma Link
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Show sources

Source: zUEBMx2U10.exe	Virustotal: Detection: 42%	Perma Link
Source: zUEBMx2U10.exe	Metadefender: Detection: 32%	Perma Link
Source: zUEBMx2U10.exe	ReversingLabs: Detection: 75%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: zUEBMx2U10.exe

Joe Sandbox ML: detected

Source: zUEBMx2U10.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.423179502.00000000006BB000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb? source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbBS? source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: c.pdbis?N source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbC source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: (P%pLC:\Windows\Microsoft.VisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb`S source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdbjS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbw source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3\|l source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdbg source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbXS9 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB3 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.419379807.0000000000690000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbfS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000016.00000003.468505271.0000000004B76000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbLS% source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.423103946.0000000000684000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdbM source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: np0pVisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: .pdb(8 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb{{ source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: zUEBMx2U10.PDBL source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb3! source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb^S3 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbTS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.417934703.0000000000696000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbl source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: backupjuly.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: backupjuly.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49728 -> 185.19.85.140:9090

Source: Joe Sandbox View

ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH

Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000002.539329325.0000020C43557000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001D.00000002.539329325.0000020C43557000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",3I equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",3I equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.502580650.0000020C43589000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001D.00000003.502624263.0000020C4356A000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE

Source: unknown

DNS traffic detected: queries for: backupjuly.duckdns.org

Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000003.486985985.0000000005A9B000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000003.507167541.0000000004D32000.00000004.00000001.sdmp	String found in binary or memory: https://go.microd
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: zUEBMx2U10.exe, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: svchost.exe.1.dr, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 1.2.zUEBMx2U10.exe.bc0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 1.0.zUEBMx2U10.exe.bc0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 12.2.zUEBMx2U10.exe.330000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 12.0.zUEBMx2U10.exe.330000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 13.0.svchost.exe.a60000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 15.2.zUEBMx2U10.exe.1e0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 15.0.zUEBMx2U10.exe.1e0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 17.0.zUEBMx2U10.exe.ed0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 18.0.svchost.exe.b30000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA388	1_2_017BA388
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017B0490	1_2_017B0490
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017B2BD8	1_2_017B2BD8
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017B3B75	1_2_017B3B75
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA379	1_2_017BA379
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA46E	1_2_017BA46E
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA4BA	1_2_017BA4BA

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540

Source: zUEBMx2U10.exe	Binary or memory string: OriginalFilename vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.673906551.00000000066F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.675804424.0000000006950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXKEQ OAu.exe2 vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.570270331.0000000000BC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe	Binary or memory string: OriginalFilename vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 0000000C.00000002.382637639.0000000000332000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe	Binary or memory string: OriginalFilename vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 0000000F.00000002.391819204.00000000001E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000011.00000000.393907451.0000000000ED2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe

Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@48/28@11/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210512\PowerShell_transcript.760639.6iHHi+Z_.20210512052205.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6540
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0a7e289c-1b29-4584-8e36-a27a2b9592bf}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4264:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uludn5pk.srf.ps1

Jump to behavior

Source: zUEBMx2U10.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: zUEBMx2U10.exe	Virustotal: Detection: 42%
Source: zUEBMx2U10.exe	Metadefender: Detection: 32%
Source: zUEBMx2U10.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File read: C:\Users\user\Desktop\zUEBMx2U10.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe 'C:\Users\user\Desktop\zUEBMx2U10.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: unknown	Process created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: unknown	Process created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: zUEBMx2U10.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zUEBMx2U10.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: zUEBMx2U10.exe

Static file information: File size 3858432 > 1048576

Source: zUEBMx2U10.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3ad600

Source: zUEBMx2U10.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.423179502.00000000006BB000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb? source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbBS? source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: c.pdbis?N source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbC source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: (P%pLC:\Windows\Microsoft.VisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb`S source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdbjS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbw source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3\|l source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdbg source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbXS9 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB3 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.419379807.0000000000690000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbfS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000016.00000003.468505271.0000000004B76000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbLS% source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.423103946.0000000000684000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdbM source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: np0pVisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: .pdb(8 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb{{ source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: zUEBMx2U10.PDBL source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb3! source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb^S3 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbTS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.417934703.0000000000696000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbl source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp

Source: zUEBMx2U10.exe

Static PE information: 0x8236B8BB [Fri Mar 25 00:05:15 2039 UTC]

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Code function: 1_2_017B52C9 push eax; iretd

1_2_017B56A1

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown

Executable created and started: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File opened: C:\Users\user\Desktop\zUEBMx2U10.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Section loaded: OutputDebugStringW count: 230
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Section loaded: OutputDebugStringW count: 115

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4399	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2573	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4699
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2451
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4271
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2810
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Window / User API: threadDelayed 3437
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Window / User API: threadDelayed 5550
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Window / User API: foregroundWindowGot 547
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1971
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 626

Source: C:\Users\user\Desktop\zUEBMx2U10.exe TID: 6544	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976	Thread sleep count: 4699 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980	Thread sleep count: 2451 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6232	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6232	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe TID: 6260	Thread sleep count: 100 > 30
Source: C:\Users\user\Desktop\zUEBMx2U10.exe TID: 7104	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe TID: 6472	Thread sleep count: 100 > 30
Source: C:\Windows\System32\svchost.exe TID: 4760	Thread sleep time: -210000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 492	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2988	Thread sleep count: 207 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2988	Thread sleep count: 65 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread delayed: delay time: 922337203685477

Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: powershell.exe, 00000003.00000003.625601350.0000000005172000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.608755342.00000000058E1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: zUEBMx2U10.exe, 00000011.00000003.436168609.0000000001A50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: WerFault.exe, 00000016.00000002.547586254.0000000004678000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(Fx
Source: WerFault.exe, 00000016.00000002.548752130.0000000004780000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.530637699.0000020C42C80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: VMwareVBox
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 0000001D.00000002.532108002.0000020C42CD6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWos
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000003.00000003.625601350.0000000005172000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.608755342.00000000058E1000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process queried: DebugPort
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force	Jump to behavior
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Memory written: C:\Users\user\Desktop\zUEBMx2U10.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Memory written: unknown base: 400000 value starts with: 4D5A
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Memory written: unknown base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Users\user\Desktop\zUEBMx2U10.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Users\user\Desktop\zUEBMx2U10.exe VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: zUEBMx2U10.exe, 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder11	Process Injection111	Masquerading221	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools11	LSASS Memory	Security Software Discovery431	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion351	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion351	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zUEBMx2U10.exe	43%	Virustotal		Browse
zUEBMx2U10.exe	38%	Metadefender		Browse
zUEBMx2U10.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot
zUEBMx2U10.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	38%	Metadefender		Browse
C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
backupjuly.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.microd	0%	Avira URL Cloud	safe
backupjuly.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
backupjuly.duckdns.org	185.19.85.140	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
backupjuly.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000003.486985985.0000000005A9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://go.microd	powershell.exe, 00000007.00000003.507167541.0000000004D32000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.19.85.140	backupjuly.duckdns.org	Switzerland		48971	DATAWIRE-ASCH	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411703
Start date:	12.05.2021
Start time:	05:21:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	zUEBMx2U10.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@48/28@11/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 92.122.145.220, 40.88.32.150, 20.82.210.154, 2.20.143.16, 2.20.142.209, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.155.217.156, 13.64.90.137, 23.218.208.56, 20.82.209.183, 52.255.188.83, 13.88.21.125 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:22:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62 C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
05:22:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62 C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
05:22:36	API Interceptor	765x Sleep call for process: zUEBMx2U10.exe modified
05:22:50	API Interceptor	177x Sleep call for process: powershell.exe modified
05:23:08	API Interceptor	12x Sleep call for process: svchost.exe modified
05:23:21	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.19.85.140	Memorandum of PCR test.exe	Get hash	malicious	Browse
	Memorandum of PCR test.pdf.exe	Get hash	malicious	Browse
	Memorandum on PCR test 001.pdf.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DATAWIRE-ASCH	remittance slip.pdf.exe	Get hash	malicious	Browse	185.19.85.139
	968927d6_by_Libranalysis.exe	Get hash	malicious	Browse	185.19.85.142
	b98b396b_by_Libranalysis.xlsx	Get hash	malicious	Browse	185.19.85.142
	PL-REM-40310EMEA02 (0085).jar	Get hash	malicious	Browse	185.19.85.166
	Appraisal.reportl1100445269900.vbs	Get hash	malicious	Browse	185.19.85.168
	Appraisal.property..vbs	Get hash	malicious	Browse	185.19.85.168
	Appraisal.vbs	Get hash	malicious	Browse	185.19.85.168
	Appraisal.vbs	Get hash	malicious	Browse	185.19.85.168
	p8Up8qw5.exe	Get hash	malicious	Browse	185.19.85.148
	867353735-2021 Presentation Details.vbs	Get hash	malicious	Browse	185.19.85.165
	867353735-2021 Presentation Details.vbs	Get hash	malicious	Browse	185.19.85.165
	VIS_MAL.txt.ps1	Get hash	malicious	Browse	185.19.85.134
	P195 NOVO Cinema#2021.exe	Get hash	malicious	Browse	185.19.85.134
	INVOICE_.EXE	Get hash	malicious	Browse	185.19.85.171
	New Order 567w43.exe	Get hash	malicious	Browse	185.19.85.139
	yZykshDGPX.exe	Get hash	malicious	Browse	185.19.85.162
	Cancellation_Request_pdf.hta	Get hash	malicious	Browse	185.19.85.169
	sfTZCyMKuC.exe	Get hash	malicious	Browse	185.19.85.137
	Booking vouchers.exe	Get hash	malicious	Browse	185.19.85.134
	PurchaseOrder_2021676777.exe	Get hash	malicious	Browse	185.19.85.141

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5958226129883873
Encrypted:	false
SSDEEP:	6:bIE2k1GaD0JOCEfMuaaD0JOCEfMKQmD411Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bICGaD0JcaaD0JwQQ0Ag/0bjSQJ
MD5:	87306F78951BD3787587D871BEB0576F
SHA1:	EEA20FE290598065D9BFE47EBBC26A754A808A9D
SHA-256:	FA205688D9A66BFED57CCB6BAA2F5EE4D9C2AA97B2F5C41F16C3983A255E31BB
SHA-512:	37D2B1EF9F686AB86E9A4EB1BB2AA730FDA3A5409E00ABCC822FAD66391BC281A5EE8731B7E975E74C264A9E1F67088AD8DB30BED8DB440F1DC64FCC7D29B2E1
Malicious:	false
Preview:	....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x4279f839, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09541840300770617
Encrypted:	false
SSDEEP:	6:/Gzwl/+zYc1RIE11Y8TRXxw8JM/qKdGzwl/+zYc1RIE11Y8TRXxw8JM/qK:e0+ZO4ble8GqKY0+ZO4ble8GqK
MD5:	158B2CE0BAE4BFDB76929BC97D4ED111
SHA1:	15E99D6C6F156E69607BACDD0FDC97D61A8FDEAB
SHA-256:	201C9AECACABF965D1BCC3A96F6C8648131CA20628BA537096BFD4563F9E4463
SHA-512:	4313CFACB946053B6165E4BE52786D76C87B0EE60F0A3D90A0D375D4EB66895BFF1F89EF746EE8D7E54C01949A0A4645B038F62B8DB5EC253BE583AE2EF5A357
Malicious:	false
Preview:	By.9... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................}Q\......y!{................5.w@.....y!.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11008638410518784
Encrypted:	false
SSDEEP:	3:0Slll1Evx6zpl+uXl/bJdAtijSl8g//ill:NlYY+At4QM/G
MD5:	32BF03765B201C794379B2886F7DFAAA
SHA1:	E08202B3B58DD149B3E0B8D460B76A5626BDC126
SHA-256:	66BEC12E8D18E3B60AF7FDB42B82BC36E55B6EC7D169444D72AA7B5B3FBFDC08
SHA-512:	FABC8E6B3F216D1E5B05DC8B2091277662256F5A44CE7DA3F27D389CB428D6DBA9DDBA4FD597458806594634EF4D60DA5754A81A89A8375F79617B63DB341253
Malicious:	false
Preview:	.........................................3...w.......y!......w...............w.......w....:O.....w..................5.w@.....y!.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_zUEBMx2U10.exe_78eefa6469bab2f3c8b6995723de54eaa9f64f5_e1271c13_1a835371\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	15168
Entropy (8bit):	3.772575452690747
Encrypted:	false
SSDEEP:	192:oKvDOyUlumHBUZMXSaKA6KZDnyK/u7swS274ItP+:ocOhfBUZMXSaNyK/u7swX4ItP+
MD5:	39A5705C28EFF9F9115F765B235D600D
SHA1:	2E507030B705FAE93A036D6BE596005B9ADAB280
SHA-256:	EA0C60CECCD2B89D2155AE9B9794CF7CCF4597E3153B7174B01CFFBA9B142FA4
SHA-512:	BD759F5505DF9D37528825C13056EB6C6E2CEF432F1A224D5F49B35BECB8D8601814E6150116C244BE0DF285B5721A3C8FD6D63DC7A19E23B3A25F6CF144FF2D
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.5.7.5.7.7.0.3.2.7.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.2.9.5.7.9.8.0.4.6.8.3.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.9.5.a.0.4.a.-.b.5.f.7.-.4.8.f.f.-.9.8.6.6.-.2.c.0.f.b.0.c.5.6.3.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.a.f.6.e.6.6.-.d.3.b.f.-.4.1.6.f.-.a.b.6.4.-.c.e.0.9.6.0.f.5.7.b.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.U.E.B.M.x.2.U.1.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.i.r.s.t.o.f.t.h.e.d.a.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.c.-.0.0.0.1.-.0.0.1.7.-.1.f.d.a.-.5.8.6.3.2.9.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.5.d.1.6.d.f.a.d.6.e.4.2.6.3.2.9.0.4.6.3.0.3.6.0.7.5.2.1.6.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.9.3.1.6.f.f.3.5.c.1.8.5.d.c.f.3.c.8.0.c.2.c.3.a.b.2.f.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER181E.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.696982552174106
Encrypted:	false
SSDEEP:	96:9GiZYW6AzLm/xNYpYaVXWYnIKHtYEZFSt6i6Cq1anwbUH1riamDaxTLIoH3:9jZD6hNefIM7K12amDaxTEoH3
MD5:	637D4D0440F4D049456A47DDA2D36250
SHA1:	6E29AE01893B93BB533E749F5987B68DDA79B972
SHA-256:	210076BDA8F549E60A49EC523AFE682E808D23A05E2FCC167CCAD210F137900A
SHA-512:	1097BEE406A188579C9F3220C966EC35667026014A9BABACE5AEB2D8CBD745BF691E927DE196C6BE293340F2040519FE83CF879DE1EC95E1305F67B2ECCC304C
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A36.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	58944
Entropy (8bit):	3.0571025518576973
Encrypted:	false
SSDEEP:	1536:xGHqNPEqc/iKt3BH8ATAYElNbVGZFY2gHfSW8f:xGHqNPEqc/iKt3BH8ATAYEnbVGZFY2g2
MD5:	86E89D5FE7CF3A80FB59420EE8CC4B9B
SHA1:	95C66477998366246D15E8AB999D90AEED6BEB07
SHA-256:	7D5C6325908AE0C057D35338B114364A159E78849803E6CEAE340B2C1A674A4D
SHA-512:	7D84764E1A31915732AC0582A2233E3183908F23386FA5B008CC3D6CFEE3A636DF9724D13F232683F4914655073B44FF875D283872625FE61CD949CD5A9C091F
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER589F.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.697141196280185
Encrypted:	false
SSDEEP:	96:9GiZYWKpvWZvGGYQjYmWn+HxYEZg5t3iAqWfQwIOvaoYyba9uIIZ3:9jZDbQGVj8uAaoYybaTIZ3
MD5:	510C45A6592056553AC63F4968EABAD0
SHA1:	73FBE155F9199A64F2BA782BAF6F6905DB2A74D2
SHA-256:	BB4D39070AC844F489107E8054EF5F1C3BA4BFCC6B14C695435C3691489D23EE
SHA-512:	FE3C03EF6E5F3A14CF81D37E95627ECD4B6CE9375FC73CBBA66C94AE808835E35B5B7117A8BB543F28E91E59645A69DEC6453FA8F4514579791D1B132DCD747D
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E9.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.485781982557908
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9oGWSC8BYb8fm8M4JCiFFR+q8vViBAo80d:uITfhbHSNGYJVKuAo/d
MD5:	B9A973CC04B128D87032237E0E10CC66
SHA1:	B882B98974A8A53B92B54DD941FE771FCF554D01
SHA-256:	03CCC40385E487425ABE03A1C21E498640F3CCDECCFC7E990B6FAD9D8B1FA1D6
SHA-512:	1588F3CCDA280391B683CB10BB89E2F6E5C4CD20CE1E36DF0961F78937B3BC0F47B77D7D8F6C251FF487D3AAA8A3B0333EF5EF551E3FED9BD47DE4F03653B298
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986253" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER716.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	56228
Entropy (8bit):	3.0625949262184773
Encrypted:	false
SSDEEP:	1536:j6H6MLtKN06xBLeHxAK+vuiXzzFGZCEpJIRNFCG:j6H6MLtKN06xBLeHxAK+v9XzzFGZCEpo
MD5:	3A17C870469D8BB2B909FBA7DED15A03
SHA1:	62E3F24D0E2B3035F3DA819DB45600B4B4B7117A
SHA-256:	6E56C33E71BFCCE9DB722CF225902A1C48A8EA19C6214A3438EAE820AE179C48
SHA-512:	379184342EDF4CF5C6A7D04C9511E03F7C0AE0C4CE37D035B33E52EA5971AD89C1B4DCAD7EA4A77268EE57313DC313BCB9E70CBA6001D93EB1C4AEBCC15D4962
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA985.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 12 12:22:55 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	272356
Entropy (8bit):	3.878367992737439
Encrypted:	false
SSDEEP:	3072:I7s5Qu01GOjd+p6p6r5D69gIOgF54d0HUCgUukoZP2fR:P0sLpsJ9RpDSUTjukLZ
MD5:	294145C1B9BF2FA2BA10327C9A1866A0
SHA1:	C5337481A0144CD109270EB56B907BFF63733FDB
SHA-256:	5AC2047BFC75F4BF87B82C00720667A716BAB6D7C4DF5DA059129B5D5B0DD2BF
SHA-512:	110460301EDBBDCA459A3FC4223BD8C30C169AF47DB4BFA466DFE9789A5FE1813C1CA2DF163D3A82198BD794762D3339E0A5BA2AEC45E10E0B708955FE241198
Malicious:	false
Preview:	MDMP....... .........`...................U...........B......t&......GenuineIntelW...........T..........._.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF842.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.698829527938305
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNilU6fj6YJDSUacZZgmfZPSBCprd89bLPsfPtZm:RrlsNiG6fj6YdSUacZZgmfRSjL0fP6
MD5:	A0E276EED1D6DBFCE8D480F8F3449B32
SHA1:	B225F1BDAED285C408DDBC60C8676CBA1EBDE820
SHA-256:	0AEC53F74EE6C6F7B12668DA50C3B560AC8FBDAAED5769862C74CB09FD7A818F
SHA-512:	E359B8C20DE5DDEC8530992DB9FEF26A202076E6480C7FB3425DD09233AC0C823DD5482671509007FD64D108A7F4E2D358DF339B5BA0D2A631A845A5FBFA2480
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.0.<./.P.i.d.>.......

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	25168
Entropy (8bit):	4.975582086060887
Encrypted:	false
SSDEEP:	768:6BV3IpNBQkj2Lh4iUxQedNYotBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYoI:6BV3CNBQkj2Lh4iUxvdNYotBV3CNBQkx
MD5:	62E1AE94DE84ED9286704EBD6856A263
SHA1:	4888C4CFAA74FA9BCD7339CBF760B1060314246B
SHA-256:	9AC3E181F8EB940093EF7F212696338C30CD1407AF8ECB25610C39D6B00D4C43
SHA-512:	E99B7BA733C622C675AA7944338E994EE0D941663D812D702D986F4C162C4BC40FA2C837C6C761598B826A8CB7157DFBDDC20932B41B3D637209B3333BEEEB37
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ppcodrv.gyz.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1v0s3drz.b2l.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnck3iqu.cd0.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxa21zr3.o5a.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxvdofi2.t21.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uludn5pk.srf.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
MD5:	30D23CC577A89146961915B57F408623
SHA1:	9B5709D6081D8E0A570511E6E0AAE96FA041964F
SHA-256:	E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
SHA-512:	2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:2FNn:2FN
MD5:	B9BC5CD5EAF6A468D168FB442D2E8F9B
SHA1:	7353405914980EEF7C77A9B073F055A3A605A515
SHA-256:	8882268570AB664B41A35932220BB9CA45EB1FC1840433D086861B029055F325
SHA-512:	91D483A09B0924C53076BE4D8EA83A3CF882145A4802AAE50F3B9FF93261BABE34152EBA8568274CDA7355A73D28A0514878B22E47BB1EF47BCEBB28486D05B8
Malicious:	true
Preview:	.8..@..H

C:\Users\user\Documents\20210512\PowerShell_transcript.760639.0gogqNuT.20210512052206.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	5.409109800001059
Encrypted:	false
SSDEEP:	48:BZyvTL7oO+SWrCaqDYB1ZFWr8ZxvTL7oO+SWrCaqDYB1ZA:BZOTL7NQrNqDo1ZQr8Z9TL7NQrNqDo1m
MD5:	E721A80A2E19603A6D3D58612B752908
SHA1:	A879BA89D2D04B4495B6599F9EEBA7B1FFAFD810
SHA-256:	A9CC9D35C03DC87A11560A8C271CCB8753953073DBE34FB8C080D3B45E779EE9
SHA-512:	0FF90B271CDFEFAF5362FF2EEAE99ED3F01E4E762C5E69B5C5C37A23B0CD4033E31A66B3DB7B190886E5C30563780FB76EDC253CAEAAC8EC768EBF0AB4B5E711
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512052235..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..Process ID: 6884..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512052236..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..********************..Windows PowerShell transcript star

C:\Users\user\Documents\20210512\PowerShell_transcript.760639.6iHHi+Z_.20210512052205.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	5.404428336497538
Encrypted:	false
SSDEEP:	48:BZ1vTL7oO+SWrCjqDYB1ZqWr8ZhvTL7oO+SWrCjqDYB1ZA:BZ5TL7NQrQqDo1Zjr8ZNTL7NQrQqDo1m
MD5:	95CF25D28B6DD66BBD65DC6981EE268C
SHA1:	DD8240ABD38443DC2D1B842A4BE75D60ADAA04F6
SHA-256:	7DB258F10C5C48BD65DF0A3D7C796D2C79F493607A682309B8C3C50381B3FD69
SHA-512:	47C5F49146563B84CBF486828C6C78690F91DC8561C1BD45AAE272D2B1143632A0A41134096ACBB11F465D5463B80B744A40420C813BD25286644794E5729D47
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512052230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..Process ID: 6768..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512052231..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..********************..Windows PowerShell transcript star

C:\Users\user\Documents\20210512\PowerShell_transcript.760639.yQJTMGoZ.20210512052205.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5157
Entropy (8bit):	5.40281500495079
Encrypted:	false
SSDEEP:	96:BZ0TL7NT3qDo1ZQZMTL7NT3qDo1Zm4yQjZcTL7NT3qDo1ZKZA9:QXct
MD5:	C842B072D4CD14B613110323B78EEC3B
SHA1:	FD9727C0CA8A4AADA32EB9B2F8D6771A11A3C9F7
SHA-256:	4C877AB28F383BBD5FFD805D2F7108181C416BEC4592A20F5344A4789DF3B176
SHA-512:	D3C6238D1651F5E0D2DCD171E071474DB2FD88AE23B07F33A53084F7B4CF3A484F00D627589514812362ABEF3B237D232590AE5D572EEB3FB9564168416C0F3F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512052228..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\zUEBMx2U10.exe -Force..Process ID: 6792..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512052229..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\zUEBMx2U10.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210512053304..Username: computer\user..RunAs User: DESKTOP

C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3858432
Entropy (8bit):	2.557351272214791
Encrypted:	false
SSDEEP:	1536:cGEBIZ5HlFuxK0Roj0whXkyiaCVS1nKT+jQdvWxdisWf52MvAsqPqMxm/wr59vEZ:cx
MD5:	9B2B7ACC05E281C17F978028722B51E9
SHA1:	9316FF35C185DCF3C80C2C3AB2FF55FF1076652A
SHA-256:	92781FA0C501E4375F625A6E8379BBE8F0D7D42FD6699981233A044222E081D4
SHA-512:	BE7BA4787433FB3FABCBC66088553FB424A65DD1C654E23458805019A2E156B4296495AE044918A49F4DFB846CC646DB26DB34704C0F3B8218CE721D0A282B24
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 38%, Browse Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6..........."...0...:...........:.. ....;...@.. .......................@;...........@.................................d.:.W.....;...................... ;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc.........;.......:.............@..@.reloc....... ;.......:.............@..B..................:.....H.......8%..,.:..........$...............................................".(.....^..}.....(.......(........s....}......(...... ... ....s....( .....r..:po!....&.(......".......".(%....Vs....(&...t.............0...........s.....+........o.....*..0...........s.....s.....(.....+........r...po.... ....[..(.....(........(.....l.........,.+.....+.r...po....................o...........,.+....X......+..........%.. .o.........+I..........o...........,.+)..r..:p(........,.+....

C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.557351272214791
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zUEBMx2U10.exe
File size:	3858432
MD5:	9b2b7acc05e281c17f978028722b51e9
SHA1:	9316ff35c185dcf3c80c2c3ab2ff55ff1076652a
SHA256:	92781fa0c501e4375f625a6e8379bbe8f0d7d42fd6699981233a044222e081d4
SHA512:	be7ba4787433fb3fabcbc66088553fb424a65dd1c654e23458805019a2e156b4296495ae044918a49f4dfb846cc646db26db34704c0f3b8218ce721d0a282b24
SSDEEP:	1536:cGEBIZ5HlFuxK0Roj0whXkyiaCVS1nKT+jQdvWxdisWf52MvAsqPqMxm/wr59vEZ:cx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6..........."...0...:...........:.. ....;...@.. .......................@;...........@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x7af4be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8236B8BB [Fri Mar 25 00:05:15 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3af464	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b0000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3ad4c4	0x3ad600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3b0000	0x5c8	0x600	False	0.416015625	data	4.10885896675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3b00a0	0x33c	data
RT_MANIFEST	0x3b03dc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	firstoftheday.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	firstoftheday
ProductVersion	1.0.0.0
FileDescription	firstoftheday
OriginalFilename	firstoftheday.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 05:22:42.181093931 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:42.535836935 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:42.535957098 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:43.021526098 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:43.417398930 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:43.436244011 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:43.756023884 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:43.800909996 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:44.793487072 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.233567953 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.233639002 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.233707905 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.233779907 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.234361887 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.234433889 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.234456062 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.234580040 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.234647989 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.586976051 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587085009 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587116957 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587173939 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587271929 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587327003 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587449074 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587498903 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587587118 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587635994 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587812901 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587866068 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.588157892 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.588201046 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.588221073 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.588315010 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.903383970 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.903712034 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.903800011 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.903809071 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904248953 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904311895 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.904378891 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904501915 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904546976 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.904601097 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904938936 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904989958 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.905092001 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905220032 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905270100 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.905327082 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905430079 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905477047 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.905534983 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905827045 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905874014 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905886889 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.906181097 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.906239986 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.242923975 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.242954969 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.242966890 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243083000 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243138075 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243163109 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243175983 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243225098 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243271112 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243534088 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243556023 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243621111 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243680954 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243798971 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243855953 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243957996 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244070053 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244124889 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.244450092 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244504929 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244560957 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.244638920 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244755030 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244810104 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.244966984 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245413065 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245475054 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.245563030 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245697021 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245743036 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.245847940 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245954037 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246000051 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.246074915 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246160030 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246201992 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.246447086 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246548891 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246591091 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.246679068 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246911049 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246929884 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246963978 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.247036934 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.247085094 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.247121096 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.247225046 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.247272968 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.573626041 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.573672056 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.573688984 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.573828936 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.573903084 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.573946953 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.573946953 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.574049950 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.574115992 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.574172020 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.574894905 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.575016975 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.575889111 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.576212883 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.576309919 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.576319933 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.576495886 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.576560974 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.576831102 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577052116 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577122927 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.577181101 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577332973 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577394962 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.577450037 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577526093 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577585936 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.577656984 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577825069 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.577891111 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.577941895 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.578064919 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.578128099 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.578227043 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.578427076 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.578485966 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.578536034 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.578789949 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.578852892 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.602709055 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.602737904 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.602785110 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.602809906 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.602916002 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.602988005 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.603039980 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.603198051 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.603250980 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.603359938 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.603526115 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.603579998 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.603593111 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.603712082 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.603787899 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.604226112 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.604311943 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.604377031 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.604780912 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.610239029 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.610277891 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.610375881 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.611396074 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.611493111 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.611605883 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.611844063 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.611911058 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.611968040 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.612238884 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.612297058 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.612374067 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.613147974 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.613231897 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.613420010 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.613773108 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.613867044 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.614553928 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.718780041 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.799829006 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.914982080 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915028095 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915108919 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915132999 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915211916 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915220022 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915241957 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915281057 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915304899 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915328026 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915394068 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915450096 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915508032 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.915560007 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.915920973 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.916023970 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.916062117 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.916122913 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.916203022 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.916261911 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.916305065 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.916366100 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.979942083 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.979979038 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980036020 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980119944 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.980164051 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.980243921 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980303049 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.980333090 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980384111 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.980465889 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980530024 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.980812073 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980887890 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.980920076 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.980966091 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.981612921 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.981700897 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.981714964 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.981777906 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.982008934 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.982367039 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.982409954 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.982466936 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.982642889 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.982697964 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.987469912 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.987505913 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.987636089 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.003750086 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.003806114 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.003902912 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.003927946 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.003957987 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.003961086 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.004048109 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.004097939 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.004153967 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.004199028 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.004378080 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.004452944 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.004615068 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.004682064 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.004749060 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.004805088 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.034040928 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.034079075 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.034128904 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.034136057 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.034162045 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.034188986 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.034261942 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.034310102 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.040138960 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040167093 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040220976 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.040261984 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.040278912 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040549994 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040658951 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040715933 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.040730000 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.040796041 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040851116 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.040899992 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.040951967 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.041023970 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.041078091 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.041135073 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.041191101 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.041299105 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.041361094 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.041379929 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.041455030 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.041467905 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.041601896 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.046580076 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.046655893 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.172274113 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.273880959 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.273952007 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.274013996 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.274122953 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.274806976 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.274893999 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.276190042 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.276240110 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.276326895 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.276371002 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.276493073 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.276544094 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.277112007 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.277450085 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.277520895 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.277595043 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.309040070 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.309067011 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.309155941 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.309180021 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.309227943 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.309294939 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.309597969 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.309664965 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.309876919 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.310349941 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.310431957 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.310484886 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.310678005 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.310739040 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.310847998 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.310950041 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311006069 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.311054945 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311172962 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311244011 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.311419010 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311619997 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311698914 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.311714888 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311846018 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.311914921 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.311947107 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.312062979 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.312203884 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.312304974 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.317827940 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.317872047 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.317920923 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.318324089 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.318409920 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.318973064 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.319237947 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.319331884 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.319349051 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.319719076 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.319796085 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.319874048 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.319989920 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.320064068 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.339101076 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.339157104 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.339196920 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.339235067 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.339319944 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.339365005 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.339730024 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.339792967 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.339845896 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.339895010 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.339951038 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.339993954 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.340156078 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.340209961 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.340280056 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.340326071 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.340432882 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.340483904 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.340550900 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.340598106 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.340714931 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.340763092 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.340831995 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.340878963 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.341154099 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.341208935 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.341295004 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.341344118 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.341439009 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.341490030 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.341555119 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.341602087 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.365483046 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.365552902 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.365561008 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.365606070 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.365645885 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.365690947 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.368189096 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.368289948 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.368966103 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.369035959 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.369081020 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.369123936 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.369442940 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.369509935 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.407649994 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.407812119 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.408454895 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.408541918 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.408648014 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.408703089 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.410588026 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.410665035 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.412702084 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.412766933 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.412789106 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.412808895 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.412889004 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.412933111 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.413125992 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.413172007 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.414822102 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.414884090 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.414967060 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.415018082 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.415210009 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.415258884 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.415380955 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.415453911 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.415575027 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.415771961 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.416047096 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.416124105 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664288044 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664339066 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664377928 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664402962 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664421082 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664508104 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664539099 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664640903 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664657116 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664711952 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664776087 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664899111 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.664905071 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.664942026 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.665021896 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.665074110 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.665102959 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.665173054 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.665205956 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.665261984 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.676913023 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.676938057 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.676991940 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.677094936 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.677145004 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.677189112 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.677243948 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.677310944 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.677372932 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.697971106 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698012114 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698121071 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698141098 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698194981 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698261976 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698323011 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698363066 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698419094 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698445082 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698497057 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698724031 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698796988 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698848009 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698909044 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.698916912 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.698971033 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.708950996 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.712620974 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.712656975 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.712734938 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.712759972 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.712768078 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.712820053 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.712881088 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.712938070 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.712975979 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713021994 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713124037 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713182926 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713232040 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713282108 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713363886 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713414907 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713505983 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713557959 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713597059 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713648081 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713804960 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713833094 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.713862896 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.713886023 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:47.714759111 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:47.714859009 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:52.399439096 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:52.768312931 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:52.768651962 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:52.798762083 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:53.145499945 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:53.150480032 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:53.583333969 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:53.583955050 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.000900030 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.000997066 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.420691967 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.421274900 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.834156990 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.916842937 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.916871071 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.916949987 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.916969061 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.916977882 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.916986942 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.917974949 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:54.920592070 CEST	9090	49729	185.19.85.140	192.168.2.6
May 12, 2021 05:22:54.920684099 CEST	49729	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:00.401000977 CEST	49730	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:00.761539936 CEST	9090	49730	185.19.85.140	192.168.2.6
May 12, 2021 05:23:00.761719942 CEST	49730	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:00.762485027 CEST	49730	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:01.152896881 CEST	9090	49730	185.19.85.140	192.168.2.6
May 12, 2021 05:23:01.239875078 CEST	49730	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:01.675323963 CEST	9090	49730	185.19.85.140	192.168.2.6
May 12, 2021 05:23:01.739924908 CEST	49730	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:01.745582104 CEST	49730	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:07.086256981 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:10.100076914 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:10.420160055 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:10.420342922 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:10.502695084 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:10.885179043 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:10.886554003 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:10.887049913 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:11.256628036 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:11.258048058 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:12.022053957 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:12.242012978 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:12.244124889 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:12.355048895 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:13.006510973 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:13.352952003 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:13.416131973 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:13.416291952 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:13.439815044 CEST	9090	49732	185.19.85.140	192.168.2.6
May 12, 2021 05:23:13.441308975 CEST	49732	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:17.531852007 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:17.938725948 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:17.938858032 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:17.939584970 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:18.344222069 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:18.397656918 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:18.445286989 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:18.805167913 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:18.850725889 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:18.895102978 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:18.895242929 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.360236883 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:19.363185883 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.429425001 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.758971930 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:19.759015083 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:19.759047985 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.759087086 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.759182930 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:19.759241104 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.759299994 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:19.759354115 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:19.759422064 CEST	9090	49741	185.19.85.140	192.168.2.6
May 12, 2021 05:23:19.759476900 CEST	49741	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:23.686506033 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:23.993526936 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:23.993714094 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:25.135401964 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:25.540951014 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:25.541115046 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:25.932243109 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:25.932384968 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:26.287369967 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:26.287564993 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:26.634865999 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:26.635093927 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.153055906 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.153084040 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.153150082 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.153201103 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.153254032 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.153306961 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.153359890 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.274375916 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.478971004 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.479001999 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.479152918 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.479252100 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.479717970 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.479887962 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.480303049 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.480444908 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.480526924 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.481193066 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.481281042 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.481364965 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.481442928 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:27.481574059 CEST	9090	49747	185.19.85.140	192.168.2.6
May 12, 2021 05:23:27.481785059 CEST	49747	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:32.801681042 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:33.164804935 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:33.168028116 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:33.496709108 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:33.885534048 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:33.888075113 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:34.327838898 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:34.328517914 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:34.687542915 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:34.687906981 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:35.079524994 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:35.079700947 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:35.599545956 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:35.621721029 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:35.622087002 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:35.622174978 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:35.622287035 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:35.622371912 CEST	9090	49752	185.19.85.140	192.168.2.6
May 12, 2021 05:23:35.623297930 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:35.623522043 CEST	49752	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:44.297445059 CEST	49753	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:44.681099892 CEST	9090	49753	185.19.85.140	192.168.2.6
May 12, 2021 05:23:44.681293964 CEST	49753	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:44.681771040 CEST	49753	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:45.020302057 CEST	9090	49753	185.19.85.140	192.168.2.6
May 12, 2021 05:23:45.259360075 CEST	49753	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:45.666239977 CEST	49753	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:45.674274921 CEST	9090	49753	185.19.85.140	192.168.2.6
May 12, 2021 05:23:45.674468040 CEST	49753	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:50.339140892 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:50.652334929 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:50.652508020 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:50.802229881 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:51.128987074 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:51.133624077 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:51.453636885 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:51.453870058 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:51.817524910 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:51.817811966 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.333945990 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.334182024 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.334316969 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.334342003 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.334418058 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.334481001 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.337316990 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.337420940 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.717611074 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.717708111 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.717814922 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.717942953 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.719185114 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.719254971 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.719774008 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.719898939 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.719953060 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:52.720024109 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.720227003 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:52.720278978 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.086924076 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.086965084 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.086986065 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.087105036 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.087116957 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.087205887 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.093159914 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.093887091 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.093971014 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.094271898 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.094455004 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.094536066 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.094949961 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.096434116 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.096513987 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.096863031 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.097100973 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.097155094 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.097484112 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.097873926 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.097937107 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.098648071 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.099258900 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.099318027 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.182491064 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.457243919 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457284927 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457298040 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457429886 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457505941 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.457540989 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.457547903 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457669020 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457705975 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.457741976 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.457750082 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.457828045 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.457950115 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458019018 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458026886 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458090067 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458143950 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458209991 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458233118 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458292961 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458344936 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458400011 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458529949 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458597898 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458620071 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458688974 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458741903 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458811998 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.458914995 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.458988905 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.468775988 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.468900919 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.470312119 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.470429897 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.470534086 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.470618963 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.472110987 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.472203970 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.473929882 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.474021912 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.474071026 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.474147081 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.474668026 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.474741936 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.474750996 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.474817991 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.475107908 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.475176096 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.475224018 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.475296021 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.475425959 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.475492001 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.475786924 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.475857019 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.475909948 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.475980043 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.476026058 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.476104975 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.476135969 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.476211071 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:53.476310968 CEST	9090	49759	185.19.85.140	192.168.2.6
May 12, 2021 05:23:53.476378918 CEST	49759	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:57.540932894 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:57.925919056 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:23:57.926150084 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:58.229988098 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:59.010428905 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:23:59.347512007 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:00.198064089 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:00.544579029 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:00.547039986 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:00.588681936 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:00.756004095 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:01.080811977 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:01.135606050 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:01.939436913 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:02.698272943 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.175971985 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.176119089 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.176187038 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.176311016 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.176394939 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.176542044 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.176611900 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.458930969 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459012032 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459052086 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459110975 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.459145069 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459197998 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.459283113 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459471941 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459526062 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.459630013 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459801912 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.459851027 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.785640001 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.785677910 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.785758018 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.785840034 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.785939932 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.786015987 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.786032915 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.786138058 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.786252975 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.786335945 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.786628008 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.786705971 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.786708117 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.787247896 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.787347078 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.787442923 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.787569046 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.787641048 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.787688971 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.788172007 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.788271904 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.788292885 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:03.788430929 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:03.788481951 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:04.147567034 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:04.147744894 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:04.443253994 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:04.443398952 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:04.753424883 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:04.753545046 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.093108892 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.093173027 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.093281984 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.425995111 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.426131964 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.426162958 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.426188946 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.426227093 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.426256895 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.792216063 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.792320967 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.792401075 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.792416096 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.792449951 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.792510033 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.792560101 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.792639017 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.792701006 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:05.792762995 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:05.793034077 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.128654003 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.128688097 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.128712893 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.128837109 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.129000902 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129029989 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129055023 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129070044 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.129079103 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129128933 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.129405022 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129467010 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.129519939 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129544020 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129570961 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.129601002 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.129765034 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.129959106 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.130034924 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.452519894 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.452548027 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.452606916 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.452629089 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.452651978 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.452744007 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.452749014 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.452797890 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.452853918 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.452899933 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.452992916 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.453111887 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.453165054 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.453249931 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.453299999 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.453600883 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.453675032 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.453705072 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.454082966 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.454189062 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.454257011 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.454353094 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.454406023 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.454514027 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.454590082 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.456816912 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.797192097 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809278011 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809309959 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809437990 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.809541941 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809597969 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.809623003 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809786081 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809915066 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.809969902 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.809971094 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810015917 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.810188055 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810302019 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810421944 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810475111 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.810534000 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810587883 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.810659885 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810780048 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810877085 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.810941935 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.811023951 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.811075926 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.811132908 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.811258078 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.811340094 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.811419964 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:06.811444044 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:06.811503887 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.162895918 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163039923 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163157940 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.163181067 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163253069 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163446903 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163505077 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.163567066 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163614988 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.163660049 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163769007 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163930893 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.163981915 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.164060116 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.164107084 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.164125919 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.164372921 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.164554119 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.164629936 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.164745092 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.164796114 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.164861917 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.166405916 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.166429996 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.166508913 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.166532993 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.166579962 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.168248892 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.168325901 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.168412924 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.168446064 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.214248896 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.536314011 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.536405087 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.536448002 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.536528111 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.536675930 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.536761045 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.536912918 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537008047 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537151098 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537214994 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.537297964 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537398100 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.537468910 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537559986 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537616968 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.537698984 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537875891 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.537966967 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.538266897 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.538507938 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.538587093 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.538628101 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.538737059 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.538793087 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.539021015 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.539141893 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.539225101 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.539252996 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.539383888 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.539444923 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.539484024 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.585491896 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.585681915 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.860253096 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.860323906 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.860368013 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.860384941 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.860651970 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.860713959 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.860745907 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.860753059 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.860807896 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.860901117 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.901803970 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.912018061 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912133932 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912213087 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912271023 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.912321091 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912372112 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.912394047 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912519932 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912625074 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912682056 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.912734032 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912781000 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.912859917 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.912962914 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.913090944 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.913144112 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.913213968 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.913268089 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.913300991 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.916466951 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.916538000 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:07.916553974 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.916920900 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:07.916974068 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.167268038 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.167315960 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.167371035 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.167475939 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.167480946 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.167535067 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.174892902 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.174983978 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.276770115 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.278501987 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314222097 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314280987 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314302921 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314321041 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314359903 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314367056 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314387083 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314420938 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314466953 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314531088 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314713001 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314781904 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314827919 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314871073 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.314893007 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.314930916 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.315032005 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.315099001 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.315143108 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.315201998 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.315265894 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.315334082 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.315346956 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.315408945 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.315628052 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.315691948 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.315898895 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.315967083 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.316024065 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.316086054 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.316150904 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.316231012 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.316591024 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.316687107 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.558743000 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.558783054 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.558831930 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.558871031 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.558917046 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.558937073 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.559012890 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.559279919 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.559367895 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.681324959 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.681538105 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.684942007 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.684988976 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.685045004 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.685076952 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.685154915 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.685163021 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.694489002 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.694536924 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.694590092 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.694665909 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.694736004 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.694735050 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.694823980 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.927030087 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.929519892 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.935934067 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.936011076 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.936068058 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:08.936073065 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:08.936132908 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.131865978 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.131932974 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.131993055 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.132102966 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.132126093 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.132231951 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.132241964 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.132314920 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.132407904 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.342140913 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.342560053 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.342600107 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.342683077 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.342731953 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.445421934 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.445456982 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.445558071 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.445799112 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.445909977 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.445975065 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.666361094 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.666421890 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.666632891 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.783591032 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.783646107 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.783751011 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.783755064 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:09.783874035 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.783958912 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:09.784115076 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.002233982 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.002496004 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.003204107 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.102566957 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.102606058 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.102710009 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.102732897 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.102827072 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.103205919 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.103271961 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.103291988 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.103338003 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.302690983 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.302767992 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.303037882 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.546391964 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.546468019 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.546621084 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.547343016 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.547698975 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.547770023 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.547938108 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.548106909 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.548170090 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.727700949 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.727794886 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.727833986 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.727865934 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.777059078 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.905487061 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.905523062 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.905596018 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.905622005 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.905740023 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.905796051 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:10.905807018 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.905971050 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:10.906021118 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.131838083 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.131874084 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.131944895 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.131989002 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.173867941 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.173995018 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.311541080 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.311636925 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.311745882 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.311743975 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.311877966 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.311937094 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.312056065 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.312205076 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.312273026 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.516408920 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.516437054 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.516608953 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.517205954 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.517319918 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.517395973 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.517452002 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.558393002 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.645148993 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.645204067 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.645289898 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.645342112 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.645576954 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.645646095 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.645942926 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.646039963 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.646099091 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.867607117 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.868385077 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.868522882 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.868933916 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.870141029 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.870255947 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.896214008 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.896286964 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.896421909 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.952187061 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.952239037 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.952303886 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.952531099 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.952578068 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.952661991 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:11.952713966 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.952938080 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:11.953006983 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:12.181977034 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:12.182023048 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:12.182044029 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:12.182158947 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:12.901534081 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:13.337012053 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:13.338011026 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:13.465297937 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:13.818660975 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:13.965408087 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:14.493513107 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:14.493834972 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:16.783837080 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:16.824429989 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:16.876164913 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:17.334047079 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:17.514861107 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:17.847976923 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:17.848083019 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:18.173223972 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:18.215190887 CEST	49760	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:18.345988035 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:18.582777023 CEST	9090	49760	185.19.85.140	192.168.2.6
May 12, 2021 05:24:24.620315075 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:24.949369907 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:24.949723959 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:25.143599033 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:25.497734070 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:25.544277906 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:25.556561947 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:25.967827082 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:26.012753963 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:26.030476093 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:26.487776041 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:26.612473011 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:26.653352022 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:26.696568012 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:26.996287107 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:26.996499062 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:27.074738979 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:27.371443033 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:27.376693010 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:27.645260096 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:27.700453043 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:27.879609108 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:28.175170898 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:28.215984106 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:28.256370068 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:28.557682037 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:28.559005022 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:29.011322021 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:30.476779938 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:30.528719902 CEST	49765	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:24:32.986895084 CEST	9090	49765	185.19.85.140	192.168.2.6
May 12, 2021 05:24:33.028913021 CEST	49765	9090	192.168.2.6	185.19.85.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 05:21:44.392151117 CEST	64267	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:44.454217911 CEST	53	64267	8.8.8.8	192.168.2.6
May 12, 2021 05:21:44.969283104 CEST	49448	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:45.019577026 CEST	53	49448	8.8.8.8	192.168.2.6
May 12, 2021 05:21:46.178647995 CEST	60342	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:46.227346897 CEST	53	60342	8.8.8.8	192.168.2.6
May 12, 2021 05:21:47.001123905 CEST	61346	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:47.049767017 CEST	53	61346	8.8.8.8	192.168.2.6
May 12, 2021 05:21:49.854787111 CEST	51774	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:49.905215979 CEST	53	51774	8.8.8.8	192.168.2.6
May 12, 2021 05:21:50.805028915 CEST	56023	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:50.857408047 CEST	53	56023	8.8.8.8	192.168.2.6
May 12, 2021 05:21:51.613993883 CEST	58384	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:51.662810087 CEST	53	58384	8.8.8.8	192.168.2.6
May 12, 2021 05:21:52.741713047 CEST	60261	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:52.790513992 CEST	53	60261	8.8.8.8	192.168.2.6
May 12, 2021 05:21:53.604362011 CEST	56061	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:53.655986071 CEST	53	56061	8.8.8.8	192.168.2.6
May 12, 2021 05:21:55.662966013 CEST	58336	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:55.711884022 CEST	53	58336	8.8.8.8	192.168.2.6
May 12, 2021 05:21:56.522459984 CEST	53781	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:56.579611063 CEST	53	53781	8.8.8.8	192.168.2.6
May 12, 2021 05:21:57.410602093 CEST	54064	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:57.471016884 CEST	53	54064	8.8.8.8	192.168.2.6
May 12, 2021 05:21:59.637209892 CEST	52811	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:59.686049938 CEST	53	52811	8.8.8.8	192.168.2.6
May 12, 2021 05:22:00.445169926 CEST	55299	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:00.493896961 CEST	53	55299	8.8.8.8	192.168.2.6
May 12, 2021 05:22:01.446686983 CEST	63745	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:01.495455980 CEST	53	63745	8.8.8.8	192.168.2.6
May 12, 2021 05:22:02.553551912 CEST	50055	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:02.605151892 CEST	53	50055	8.8.8.8	192.168.2.6
May 12, 2021 05:22:03.698920012 CEST	61374	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:03.750457048 CEST	53	61374	8.8.8.8	192.168.2.6
May 12, 2021 05:22:04.769795895 CEST	50339	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:04.823363066 CEST	53	50339	8.8.8.8	192.168.2.6
May 12, 2021 05:22:21.244643927 CEST	63307	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:21.316487074 CEST	53	63307	8.8.8.8	192.168.2.6
May 12, 2021 05:22:39.220978975 CEST	49694	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:39.281143904 CEST	53	49694	8.8.8.8	192.168.2.6
May 12, 2021 05:22:41.386811018 CEST	54982	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:41.613265038 CEST	53	54982	8.8.8.8	192.168.2.6
May 12, 2021 05:22:41.660953045 CEST	50010	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:41.719435930 CEST	53	50010	8.8.8.8	192.168.2.6
May 12, 2021 05:22:52.175230026 CEST	63718	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:52.397355080 CEST	53	63718	8.8.8.8	192.168.2.6
May 12, 2021 05:22:59.768373013 CEST	62116	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:59.830533028 CEST	53	62116	8.8.8.8	192.168.2.6
May 12, 2021 05:23:06.820121050 CEST	63816	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:06.891052008 CEST	53	63816	8.8.8.8	192.168.2.6
May 12, 2021 05:23:06.963944912 CEST	55014	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:07.023929119 CEST	53	55014	8.8.8.8	192.168.2.6
May 12, 2021 05:23:07.732428074 CEST	62208	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:07.837635040 CEST	53	62208	8.8.8.8	192.168.2.6
May 12, 2021 05:23:08.897435904 CEST	57574	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:09.001605034 CEST	53	57574	8.8.8.8	192.168.2.6
May 12, 2021 05:23:10.012686014 CEST	51818	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:10.069765091 CEST	53	51818	8.8.8.8	192.168.2.6
May 12, 2021 05:23:10.889924049 CEST	56628	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:10.947150946 CEST	53	56628	8.8.8.8	192.168.2.6
May 12, 2021 05:23:11.772455931 CEST	60778	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:11.829668999 CEST	53	60778	8.8.8.8	192.168.2.6
May 12, 2021 05:23:13.295650005 CEST	53799	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:13.358124971 CEST	53	53799	8.8.8.8	192.168.2.6
May 12, 2021 05:23:14.012598991 CEST	54683	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:14.071949959 CEST	53	54683	8.8.8.8	192.168.2.6
May 12, 2021 05:23:15.873629093 CEST	59329	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:15.933146954 CEST	53	59329	8.8.8.8	192.168.2.6
May 12, 2021 05:23:17.469090939 CEST	64021	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:17.528901100 CEST	53	64021	8.8.8.8	192.168.2.6
May 12, 2021 05:23:17.606360912 CEST	56129	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:17.657932997 CEST	53	56129	8.8.8.8	192.168.2.6
May 12, 2021 05:23:18.770546913 CEST	58177	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:18.830600023 CEST	53	58177	8.8.8.8	192.168.2.6
May 12, 2021 05:23:19.971337080 CEST	50700	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:20.028148890 CEST	53	50700	8.8.8.8	192.168.2.6
May 12, 2021 05:23:23.621001005 CEST	54069	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:23.678153038 CEST	53	54069	8.8.8.8	192.168.2.6
May 12, 2021 05:23:25.175764084 CEST	61178	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:25.248471975 CEST	53	61178	8.8.8.8	192.168.2.6
May 12, 2021 05:23:31.218559027 CEST	57017	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:31.284054995 CEST	53	57017	8.8.8.8	192.168.2.6
May 12, 2021 05:23:32.738291025 CEST	56327	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:32.798279047 CEST	53	56327	8.8.8.8	192.168.2.6
May 12, 2021 05:23:41.981621981 CEST	50243	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:42.208885908 CEST	53	50243	8.8.8.8	192.168.2.6
May 12, 2021 05:23:45.884076118 CEST	62055	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:45.943105936 CEST	53	62055	8.8.8.8	192.168.2.6
May 12, 2021 05:23:50.228087902 CEST	61249	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:50.285227060 CEST	53	61249	8.8.8.8	192.168.2.6
May 12, 2021 05:23:57.315285921 CEST	65252	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:57.539803028 CEST	53	65252	8.8.8.8	192.168.2.6
May 12, 2021 05:24:04.391263008 CEST	64367	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:04.439948082 CEST	53	64367	8.8.8.8	192.168.2.6
May 12, 2021 05:24:06.723969936 CEST	55066	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:06.800782919 CEST	53	55066	8.8.8.8	192.168.2.6
May 12, 2021 05:24:07.639086962 CEST	60211	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:07.707125902 CEST	53	60211	8.8.8.8	192.168.2.6
May 12, 2021 05:24:24.540781021 CEST	56570	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:24.598411083 CEST	53	56570	8.8.8.8	192.168.2.6
May 12, 2021 05:24:30.486408949 CEST	58454	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:30.535231113 CEST	53	58454	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 05:22:41.386811018 CEST	192.168.2.6	8.8.8.8	0x30b2	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:22:52.175230026 CEST	192.168.2.6	8.8.8.8	0xaef8	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:22:59.768373013 CEST	192.168.2.6	8.8.8.8	0x64d8	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:06.963944912 CEST	192.168.2.6	8.8.8.8	0xc4ed	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:17.469090939 CEST	192.168.2.6	8.8.8.8	0xdaf4	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:23.621001005 CEST	192.168.2.6	8.8.8.8	0x7abb	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:32.738291025 CEST	192.168.2.6	8.8.8.8	0xb97d	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:41.981621981 CEST	192.168.2.6	8.8.8.8	0x7ad	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:50.228087902 CEST	192.168.2.6	8.8.8.8	0x6bd9	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:57.315285921 CEST	192.168.2.6	8.8.8.8	0x1a0d	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:24:24.540781021 CEST	192.168.2.6	8.8.8.8	0xf295	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 12, 2021 05:22:41.613265038 CEST	8.8.8.8	192.168.2.6	0x30b2	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:22:52.397355080 CEST	8.8.8.8	192.168.2.6	0xaef8	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:22:59.830533028 CEST	8.8.8.8	192.168.2.6	0x64d8	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:07.023929119 CEST	8.8.8.8	192.168.2.6	0xc4ed	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:17.528901100 CEST	8.8.8.8	192.168.2.6	0xdaf4	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:23.678153038 CEST	8.8.8.8	192.168.2.6	0x7abb	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:32.798279047 CEST	8.8.8.8	192.168.2.6	0xb97d	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:42.208885908 CEST	8.8.8.8	192.168.2.6	0x7ad	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:50.285227060 CEST	8.8.8.8	192.168.2.6	0x6bd9	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:57.539803028 CEST	8.8.8.8	192.168.2.6	0x1a0d	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:24:24.598411083 CEST	8.8.8.8	192.168.2.6	0xf295	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: zUEBMx2U10.exe PID: 6540 Parent PID: 5980

General

Start time:	05:21:52
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\zUEBMx2U10.exe'
Imagebase:	0xbc0000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Start time:	05:21:56
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	05:22:01
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Start time:	05:22:02
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	05:22:03
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	05:22:07
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	05:22:08
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xc00000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	05:22:14
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\zUEBMx2U10.exe
Imagebase:	0x330000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	05:22:16
Start date:	12/05/2021
Path:	C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Imagebase:	0xa60000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, Metadefender, Browse Detection: 76%, ReversingLabs
Reputation:	low

Start time:	05:22:18
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\zUEBMx2U10.exe
Imagebase:	0x1e0000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	05:22:21
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	05:22:22
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\zUEBMx2U10.exe
Imagebase:	0xed0000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Start time:	05:22:24
Start date:	12/05/2021
Path:	C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Imagebase:	0xb30000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Start time:	05:22:28
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	05:22:29
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	05:22:30
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Start time:	05:22:43
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	05:23:04
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	05:23:19
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	05:23:36
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Start time:	05:23:37
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zUEBMx2U10.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Start time:	05:23:38
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre