Play interactive tour

Edit tour

Analysis Report zUEBMx2U10.exe

Overview

General Information

Sample Name:	zUEBMx2U10.exe
Analysis ID:	411703
MD5:	9b2b7acc05e281c17f978028722b51e9
SHA1:	9316ff35c185dcf3c80c2c3ab2ff55ff1076652a
SHA256:	92781fa0c501e4375f625a6e8379bbe8f0d7d42fd6699981233a044222e081d4
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

zUEBMx2U10.exe (PID: 6540 cmdline: 'C:\Users\user\Desktop\zUEBMx2U10.exe' MD5: 9B2B7ACC05E281C17F978028722B51E9)

powershell.exe (PID: 6768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6792 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6884 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7112 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5784 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

zUEBMx2U10.exe (PID: 2940 cmdline: C:\Users\user\Desktop\zUEBMx2U10.exe MD5: 9B2B7ACC05E281C17F978028722B51E9)

zUEBMx2U10.exe (PID: 3800 cmdline: C:\Users\user\Desktop\zUEBMx2U10.exe MD5: 9B2B7ACC05E281C17F978028722B51E9)

zUEBMx2U10.exe (PID: 6516 cmdline: C:\Users\user\Desktop\zUEBMx2U10.exe MD5: 9B2B7ACC05E281C17F978028722B51E9)

WerFault.exe (PID: 6876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6276 cmdline: 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' MD5: 9B2B7ACC05E281C17F978028722B51E9)

powershell.exe (PID: 3624 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6384 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6480 cmdline: 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' MD5: 9B2B7ACC05E281C17F978028722B51E9)

svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3224 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "backup july", "Domain1": "backupjuly.duckdns.org", "Domain2": "backupjuly.duckdns.org", "Port": 9090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10f25:$x1: NanoCore.ClientPluginHost 0x43d45:$x1: NanoCore.ClientPluginHost 0x10f62:$x2: IClientNetworkHost 0x43d82:$x2: IClientNetworkHost 0x14a95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x478b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10c8d:$a: NanoCore 0x10c9d:$a: NanoCore 0x10ed1:$a: NanoCore 0x10ee5:$a: NanoCore 0x10f25:$a: NanoCore 0x43aad:$a: NanoCore 0x43abd:$a: NanoCore 0x43cf1:$a: NanoCore 0x43d05:$a: NanoCore 0x43d45:$a: NanoCore 0x10cec:$b: ClientPlugin 0x10eee:$b: ClientPlugin 0x10f2e:$b: ClientPlugin 0x43b0c:$b: ClientPlugin 0x43d0e:$b: ClientPlugin 0x43d4e:$b: ClientPlugin 0x10e13:$c: ProjectData 0x43c33:$c: ProjectData 0x1181a:$d: DESCrypto 0x4463a:$d: DESCrypto 0x191e6:$e: KeepAlive
00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3bf7ed:$x1: NanoCore.ClientPluginHost 0x3bf82a:$x2: IClientNetworkHost 0x3c335d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bf555:$a: NanoCore 0x3bf565:$a: NanoCore 0x3bf799:$a: NanoCore 0x3bf7ad:$a: NanoCore 0x3bf7ed:$a: NanoCore 0x3bf5b4:$b: ClientPlugin 0x3bf7b6:$b: ClientPlugin 0x3bf7f6:$b: ClientPlugin 0x3bf6db:$c: ProjectData 0x3c00e2:$d: DESCrypto 0x3c7aae:$e: KeepAlive 0x3c5a9c:$g: LogClientMessage 0x3c1c97:$i: get_Connected 0x3c0418:$j: #=q 0x3c0448:$j: #=q 0x3c0464:$j: #=q 0x3c0494:$j: #=q 0x3c04b0:$j: #=q 0x3c04cc:$j: #=q 0x3c04fc:$j: #=q 0x3c0518:$j: #=q
Process Memory Space: zUEBMx2U10.exe PID: 6540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc56b8b:$x1: NanoCore.ClientPluginHost 0xc759d7:$x1: NanoCore.ClientPluginHost 0x1054efe:$x1: NanoCore.ClientPluginHost 0xc56bec:$x2: IClientNetworkHost 0xc75a38:$x2: IClientNetworkHost 0x1054f5f:$x2: IClientNetworkHost 0xc5bff1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc69f63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc7ae3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc88daf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x105a364:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10682d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: zUEBMx2U10.exe PID: 6540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: zUEBMx2U10.exe PID: 6540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc56690:$a: NanoCore 0xc566ac:$a: NanoCore 0xc56807:$a: NanoCore 0xc56816:$a: NanoCore 0xc56aef:$a: NanoCore 0xc56b1b:$a: NanoCore 0xc56b8b:$a: NanoCore 0xc665cd:$a: NanoCore 0xc665df:$a: NanoCore 0xc6661b:$a: NanoCore 0xc754dc:$a: NanoCore 0xc754f8:$a: NanoCore 0xc75653:$a: NanoCore 0xc75662:$a: NanoCore 0xc7593b:$a: NanoCore 0xc75967:$a: NanoCore 0xc759d7:$a: NanoCore 0xc85419:$a: NanoCore 0xc8542b:$a: NanoCore 0xc85467:$a: NanoCore 0x1054a03:$a: NanoCore
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e35d98.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e68bb8.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42e9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x438a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 9 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\zUEBMx2U10.exe' , ParentImage: C:\Users\user\Desktop\zUEBMx2U10.exe, ParentProcessId: 6540, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force, ProcessId: 6768

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zUEBMx2U10.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "backup july", "Domain1": "backupjuly.duckdns.org", "Domain2": "backupjuly.duckdns.org", "Port": 9090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Metadefender: Detection: 32%			Perma Link
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Show sources

Source: zUEBMx2U10.exe	Virustotal: Detection: 42%	Perma Link
Source: zUEBMx2U10.exe	Metadefender: Detection: 32%	Perma Link
Source: zUEBMx2U10.exe	ReversingLabs: Detection: 75%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: zUEBMx2U10.exe

Joe Sandbox ML: detected

Source: zUEBMx2U10.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.423179502.00000000006BB000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb? source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbBS? source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: c.pdbis?N source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbC source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: (P%pLC:\Windows\Microsoft.VisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb`S source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdbjS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbw source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3\|l source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdbg source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbXS9 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB3 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.419379807.0000000000690000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbfS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000016.00000003.468505271.0000000004B76000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbLS% source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.423103946.0000000000684000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdbM source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: np0pVisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: .pdb(8 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb{{ source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: zUEBMx2U10.PDBL source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb3! source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb^S3 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbTS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.417934703.0000000000696000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbl source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: backupjuly.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: backupjuly.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49728 -> 185.19.85.140:9090

Source: Joe Sandbox View

ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH

Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000002.539329325.0000020C43557000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001D.00000002.539329325.0000020C43557000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-05-11T09:38:07.3274264Z\|\|.\|\|7e6d3bb3-74bc-4bd2-8463-13ea3a980d3c\|\|1152921505693476823\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",3I equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",3I equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.514597098.0000020C4354B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.502580650.0000020C43589000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000001D.00000003.502624263.0000020C4356A000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z\|\|.\|\|2e8b091b-9a79-4b36-a1ad-1238cc769fa9\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE

Source: unknown

DNS traffic detected: queries for: backupjuly.duckdns.org

Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000001D.00000002.531282040.0000020C42CAA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000003.486985985.0000000005A9B000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000003.507167541.0000000004D32000.00000004.00000001.sdmp	String found in binary or memory: https://go.microd
Source: svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: zUEBMx2U10.exe, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: svchost.exe.1.dr, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 1.2.zUEBMx2U10.exe.bc0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 1.0.zUEBMx2U10.exe.bc0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 12.2.zUEBMx2U10.exe.330000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 12.0.zUEBMx2U10.exe.330000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 13.0.svchost.exe.a60000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 15.2.zUEBMx2U10.exe.1e0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 15.0.zUEBMx2U10.exe.1e0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 17.0.zUEBMx2U10.exe.ed0000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462
Source: 18.0.svchost.exe.b30000.0.unpack, ??????????????????????????????????.cs	Long String: Length: 1923462

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA388
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017B0490
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017B2BD8
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017B3B75
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA379
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA46E
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Code function: 1_2_017BA4BA

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540

Source: zUEBMx2U10.exe	Binary or memory string: OriginalFilename vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.673906551.00000000066F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.675804424.0000000006950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXKEQ OAu.exe2 vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.570270331.0000000000BC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe	Binary or memory string: OriginalFilename vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 0000000C.00000002.382637639.0000000000332000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe	Binary or memory string: OriginalFilename vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 0000000F.00000002.391819204.00000000001E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe
Source: zUEBMx2U10.exe, 00000011.00000000.393907451.0000000000ED2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirstoftheday.exe< vs zUEBMx2U10.exe

Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@48/28@11/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210512\PowerShell_transcript.760639.6iHHi+Z_.20210512052205.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6540
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0a7e289c-1b29-4584-8e36-a27a2b9592bf}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4264:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uludn5pk.srf.ps1

Jump to behavior

Source: zUEBMx2U10.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: zUEBMx2U10.exe	Virustotal: Detection: 42%
Source: zUEBMx2U10.exe	Metadefender: Detection: 32%
Source: zUEBMx2U10.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File read: C:\Users\user\Desktop\zUEBMx2U10.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe 'C:\Users\user\Desktop\zUEBMx2U10.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: unknown	Process created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: unknown	Process created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: zUEBMx2U10.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zUEBMx2U10.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: zUEBMx2U10.exe

Static file information: File size 3858432 > 1048576

Source: zUEBMx2U10.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3ad600

Source: zUEBMx2U10.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.423179502.00000000006BB000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb? source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbBS? source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: c.pdbis?N source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbC source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: (P%pLC:\Windows\Microsoft.VisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb`S source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdbjS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbw source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3\|l source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdbg source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbXS9 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB3 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.419379807.0000000000690000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbfS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000016.00000003.468505271.0000000004B76000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\zUEBMx2U10.PDB source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbLS% source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.423103946.0000000000684000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdbM source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: np0pVisualBasic.pdb source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbT source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: .pdb(8 source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb{{ source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: zUEBMx2U10.PDBL source: zUEBMx2U10.exe, 00000001.00000002.586578171.0000000001337000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb3! source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb^S3 source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.468924392.0000000004CD0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbTS source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.417934703.0000000000696000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbr source: WerFault.exe, 00000016.00000003.467650722.0000000004CE8000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000016.00000003.468962239.0000000004CD5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000016.00000003.468054120.0000000004CE9000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000016.00000002.560868292.0000000004E60000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000016.00000003.467783632.0000000004CD1000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbl source: WerFault.exe, 00000016.00000003.468171677.0000000004B61000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000016.00000003.467450997.0000000004CDC000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000016.00000003.468999733.0000000004CD8000.00000004.00000040.sdmp

Source: zUEBMx2U10.exe

Static PE information: 0x8236B8BB [Fri Mar 25 00:05:15 2039 UTC]

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Code function: 1_2_017B52C9 push eax; iretd

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown

Executable created and started: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File created: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62

Jump to behavior

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

File opened: C:\Users\user\Desktop\zUEBMx2U10.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Section loaded: OutputDebugStringW count: 230
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Section loaded: OutputDebugStringW count: 115

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4399
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2573
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4699
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2451
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4271
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2810
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Window / User API: threadDelayed 3437
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Window / User API: threadDelayed 5550
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Window / User API: foregroundWindowGot 547
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1971
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 626

Source: C:\Users\user\Desktop\zUEBMx2U10.exe TID: 6544	Thread sleep count: 100 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976	Thread sleep count: 4699 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980	Thread sleep count: 2451 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6232	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6232	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe TID: 6260	Thread sleep count: 100 > 30
Source: C:\Users\user\Desktop\zUEBMx2U10.exe TID: 7104	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe TID: 6472	Thread sleep count: 100 > 30
Source: C:\Windows\System32\svchost.exe TID: 4760	Thread sleep time: -210000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 492	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2988	Thread sleep count: 207 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2988	Thread sleep count: 65 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread delayed: delay time: 922337203685477

Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: powershell.exe, 00000003.00000003.625601350.0000000005172000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.608755342.00000000058E1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: zUEBMx2U10.exe, 00000011.00000003.436168609.0000000001A50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: WerFault.exe, 00000016.00000002.547586254.0000000004678000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(Fx
Source: WerFault.exe, 00000016.00000002.548752130.0000000004780000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.530637699.0000020C42C80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: zUEBMx2U10.exe, 00000001.00000002.679374835.0000000006CD1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: VMwareVBox
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: WerFault.exe, 00000016.00000003.442695324.0000000005590000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 0000001D.00000002.532108002.0000020C42CD6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWos
Source: svchost.exe, 00000002.00000002.349803562.0000022522F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.423781311.000001E135F40000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.549548050.0000000004960000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.466257929.0000024F4D140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000003.00000003.625601350.0000000005172000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.608755342.00000000058E1000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process queried: DebugPort
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process queried: DebugPort
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Memory written: C:\Users\user\Desktop\zUEBMx2U10.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Memory written: unknown base: 400000 value starts with: 4D5A
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Memory written: unknown base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Process created: C:\Users\user\Desktop\zUEBMx2U10.exe C:\Users\user\Desktop\zUEBMx2U10.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Users\user\Desktop\zUEBMx2U10.exe VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Users\user\Desktop\zUEBMx2U10.exe VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\zUEBMx2U10.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\Desktop\zUEBMx2U10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: zUEBMx2U10.exe, 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zUEBMx2U10.exe PID: 6540, type: MEMORY
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e68bb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zUEBMx2U10.exe.6e35d98.8.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder11	Process Injection111	Masquerading221	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools11	LSASS Memory	Security Software Discovery431	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion351	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion351	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zUEBMx2U10.exe	43%	Virustotal		Browse
zUEBMx2U10.exe	38%	Metadefender		Browse
zUEBMx2U10.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot
zUEBMx2U10.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	38%	Metadefender		Browse
C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
backupjuly.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.microd	0%	Avira URL Cloud	safe
backupjuly.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
backupjuly.duckdns.org	185.19.85.140	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
backupjuly.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000003.486985985.0000000005A9B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://go.microd	powershell.exe, 00000007.00000003.507167541.0000000004D32000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000003.496753193.0000000007457000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000001D.00000003.497552515.0000020C435A6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000001D.00000003.512531285.0000020C43573000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.512818639.0000020C4358F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000016.00000003.457240955.0000000004EA0000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.19.85.140	backupjuly.duckdns.org	Switzerland		48971	DATAWIRE-ASCH	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411703
Start date:	12.05.2021
Start time:	05:21:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	zUEBMx2U10.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@48/28@11/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 92.122.145.220, 40.88.32.150, 20.82.210.154, 2.20.143.16, 2.20.142.209, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.155.217.156, 13.64.90.137, 23.218.208.56, 20.82.209.183, 52.255.188.83, 13.88.21.125 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:22:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62 C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
05:22:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 9EO342rLb92o62 C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
05:22:36	API Interceptor	765x Sleep call for process: zUEBMx2U10.exe modified
05:22:50	API Interceptor	177x Sleep call for process: powershell.exe modified
05:23:08	API Interceptor	12x Sleep call for process: svchost.exe modified
05:23:21	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.19.85.140	Memorandum of PCR test.exe	Get hash	malicious	Browse
	Memorandum of PCR test.pdf.exe	Get hash	malicious	Browse
	Memorandum on PCR test 001.pdf.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DATAWIRE-ASCH	remittance slip.pdf.exe	Get hash	malicious	Browse	185.19.85.139
	968927d6_by_Libranalysis.exe	Get hash	malicious	Browse	185.19.85.142
	b98b396b_by_Libranalysis.xlsx	Get hash	malicious	Browse	185.19.85.142
	PL-REM-40310EMEA02 (0085).jar	Get hash	malicious	Browse	185.19.85.166
	Appraisal.reportl1100445269900.vbs	Get hash	malicious	Browse	185.19.85.168
	Appraisal.property..vbs	Get hash	malicious	Browse	185.19.85.168
	Appraisal.vbs	Get hash	malicious	Browse	185.19.85.168
	Appraisal.vbs	Get hash	malicious	Browse	185.19.85.168
	p8Up8qw5.exe	Get hash	malicious	Browse	185.19.85.148
	867353735-2021 Presentation Details.vbs	Get hash	malicious	Browse	185.19.85.165
	867353735-2021 Presentation Details.vbs	Get hash	malicious	Browse	185.19.85.165
	VIS_MAL.txt.ps1	Get hash	malicious	Browse	185.19.85.134
	P195 NOVO Cinema#2021.exe	Get hash	malicious	Browse	185.19.85.134
	INVOICE_.EXE	Get hash	malicious	Browse	185.19.85.171
	New Order 567w43.exe	Get hash	malicious	Browse	185.19.85.139
	yZykshDGPX.exe	Get hash	malicious	Browse	185.19.85.162
	Cancellation_Request_pdf.hta	Get hash	malicious	Browse	185.19.85.169
	sfTZCyMKuC.exe	Get hash	malicious	Browse	185.19.85.137
	Booking vouchers.exe	Get hash	malicious	Browse	185.19.85.134
	PurchaseOrder_2021676777.exe	Get hash	malicious	Browse	185.19.85.141

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5958226129883873
Encrypted:	false
SSDEEP:	6:bIE2k1GaD0JOCEfMuaaD0JOCEfMKQmD411Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bICGaD0JcaaD0JwQQ0Ag/0bjSQJ
MD5:	87306F78951BD3787587D871BEB0576F
SHA1:	EEA20FE290598065D9BFE47EBBC26A754A808A9D
SHA-256:	FA205688D9A66BFED57CCB6BAA2F5EE4D9C2AA97B2F5C41F16C3983A255E31BB
SHA-512:	37D2B1EF9F686AB86E9A4EB1BB2AA730FDA3A5409E00ABCC822FAD66391BC281A5EE8731B7E975E74C264A9E1F67088AD8DB30BED8DB440F1DC64FCC7D29B2E1
Malicious:	false
Preview:	....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x4279f839, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09541840300770617
Encrypted:	false
SSDEEP:	6:/Gzwl/+zYc1RIE11Y8TRXxw8JM/qKdGzwl/+zYc1RIE11Y8TRXxw8JM/qK:e0+ZO4ble8GqKY0+ZO4ble8GqK
MD5:	158B2CE0BAE4BFDB76929BC97D4ED111
SHA1:	15E99D6C6F156E69607BACDD0FDC97D61A8FDEAB
SHA-256:	201C9AECACABF965D1BCC3A96F6C8648131CA20628BA537096BFD4563F9E4463
SHA-512:	4313CFACB946053B6165E4BE52786D76C87B0EE60F0A3D90A0D375D4EB66895BFF1F89EF746EE8D7E54C01949A0A4645B038F62B8DB5EC253BE583AE2EF5A357
Malicious:	false
Preview:	By.9... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................}Q\......y!{................5.w@.....y!.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11008638410518784
Encrypted:	false
SSDEEP:	3:0Slll1Evx6zpl+uXl/bJdAtijSl8g//ill:NlYY+At4QM/G
MD5:	32BF03765B201C794379B2886F7DFAAA
SHA1:	E08202B3B58DD149B3E0B8D460B76A5626BDC126
SHA-256:	66BEC12E8D18E3B60AF7FDB42B82BC36E55B6EC7D169444D72AA7B5B3FBFDC08
SHA-512:	FABC8E6B3F216D1E5B05DC8B2091277662256F5A44CE7DA3F27D389CB428D6DBA9DDBA4FD597458806594634EF4D60DA5754A81A89A8375F79617B63DB341253
Malicious:	false
Preview:	.........................................3...w.......y!......w...............w.......w....:O.....w..................5.w@.....y!.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_zUEBMx2U10.exe_78eefa6469bab2f3c8b6995723de54eaa9f64f5_e1271c13_1a835371\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	15168
Entropy (8bit):	3.772575452690747
Encrypted:	false
SSDEEP:	192:oKvDOyUlumHBUZMXSaKA6KZDnyK/u7swS274ItP+:ocOhfBUZMXSaNyK/u7swX4ItP+
MD5:	39A5705C28EFF9F9115F765B235D600D
SHA1:	2E507030B705FAE93A036D6BE596005B9ADAB280
SHA-256:	EA0C60CECCD2B89D2155AE9B9794CF7CCF4597E3153B7174B01CFFBA9B142FA4
SHA-512:	BD759F5505DF9D37528825C13056EB6C6E2CEF432F1A224D5F49B35BECB8D8601814E6150116C244BE0DF285B5721A3C8FD6D63DC7A19E23B3A25F6CF144FF2D
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.5.7.5.7.7.0.3.2.7.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.2.9.5.7.9.8.0.4.6.8.3.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.9.5.a.0.4.a.-.b.5.f.7.-.4.8.f.f.-.9.8.6.6.-.2.c.0.f.b.0.c.5.6.3.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.a.f.6.e.6.6.-.d.3.b.f.-.4.1.6.f.-.a.b.6.4.-.c.e.0.9.6.0.f.5.7.b.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.U.E.B.M.x.2.U.1.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.i.r.s.t.o.f.t.h.e.d.a.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.c.-.0.0.0.1.-.0.0.1.7.-.1.f.d.a.-.5.8.6.3.2.9.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.5.d.1.6.d.f.a.d.6.e.4.2.6.3.2.9.0.4.6.3.0.3.6.0.7.5.2.1.6.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.9.3.1.6.f.f.3.5.c.1.8.5.d.c.f.3.c.8.0.c.2.c.3.a.b.2.f.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER181E.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.696982552174106
Encrypted:	false
SSDEEP:	96:9GiZYW6AzLm/xNYpYaVXWYnIKHtYEZFSt6i6Cq1anwbUH1riamDaxTLIoH3:9jZD6hNefIM7K12amDaxTEoH3
MD5:	637D4D0440F4D049456A47DDA2D36250
SHA1:	6E29AE01893B93BB533E749F5987B68DDA79B972
SHA-256:	210076BDA8F549E60A49EC523AFE682E808D23A05E2FCC167CCAD210F137900A
SHA-512:	1097BEE406A188579C9F3220C966EC35667026014A9BABACE5AEB2D8CBD745BF691E927DE196C6BE293340F2040519FE83CF879DE1EC95E1305F67B2ECCC304C
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A36.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	58944
Entropy (8bit):	3.0571025518576973
Encrypted:	false
SSDEEP:	1536:xGHqNPEqc/iKt3BH8ATAYElNbVGZFY2gHfSW8f:xGHqNPEqc/iKt3BH8ATAYEnbVGZFY2g2
MD5:	86E89D5FE7CF3A80FB59420EE8CC4B9B
SHA1:	95C66477998366246D15E8AB999D90AEED6BEB07
SHA-256:	7D5C6325908AE0C057D35338B114364A159E78849803E6CEAE340B2C1A674A4D
SHA-512:	7D84764E1A31915732AC0582A2233E3183908F23386FA5B008CC3D6CFEE3A636DF9724D13F232683F4914655073B44FF875D283872625FE61CD949CD5A9C091F
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER589F.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.697141196280185
Encrypted:	false
SSDEEP:	96:9GiZYWKpvWZvGGYQjYmWn+HxYEZg5t3iAqWfQwIOvaoYyba9uIIZ3:9jZDbQGVj8uAaoYybaTIZ3
MD5:	510C45A6592056553AC63F4968EABAD0
SHA1:	73FBE155F9199A64F2BA782BAF6F6905DB2A74D2
SHA-256:	BB4D39070AC844F489107E8054EF5F1C3BA4BFCC6B14C695435C3691489D23EE
SHA-512:	FE3C03EF6E5F3A14CF81D37E95627ECD4B6CE9375FC73CBBA66C94AE808835E35B5B7117A8BB543F28E91E59645A69DEC6453FA8F4514579791D1B132DCD747D
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E9.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.485781982557908
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9oGWSC8BYb8fm8M4JCiFFR+q8vViBAo80d:uITfhbHSNGYJVKuAo/d
MD5:	B9A973CC04B128D87032237E0E10CC66
SHA1:	B882B98974A8A53B92B54DD941FE771FCF554D01
SHA-256:	03CCC40385E487425ABE03A1C21E498640F3CCDECCFC7E990B6FAD9D8B1FA1D6
SHA-512:	1588F3CCDA280391B683CB10BB89E2F6E5C4CD20CE1E36DF0961F78937B3BC0F47B77D7D8F6C251FF487D3AAA8A3B0333EF5EF551E3FED9BD47DE4F03653B298
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986253" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER716.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	56228
Entropy (8bit):	3.0625949262184773
Encrypted:	false
SSDEEP:	1536:j6H6MLtKN06xBLeHxAK+vuiXzzFGZCEpJIRNFCG:j6H6MLtKN06xBLeHxAK+v9XzzFGZCEpo
MD5:	3A17C870469D8BB2B909FBA7DED15A03
SHA1:	62E3F24D0E2B3035F3DA819DB45600B4B4B7117A
SHA-256:	6E56C33E71BFCCE9DB722CF225902A1C48A8EA19C6214A3438EAE820AE179C48
SHA-512:	379184342EDF4CF5C6A7D04C9511E03F7C0AE0C4CE37D035B33E52EA5971AD89C1B4DCAD7EA4A77268EE57313DC313BCB9E70CBA6001D93EB1C4AEBCC15D4962
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA985.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 12 12:22:55 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	272356
Entropy (8bit):	3.878367992737439
Encrypted:	false
SSDEEP:	3072:I7s5Qu01GOjd+p6p6r5D69gIOgF54d0HUCgUukoZP2fR:P0sLpsJ9RpDSUTjukLZ
MD5:	294145C1B9BF2FA2BA10327C9A1866A0
SHA1:	C5337481A0144CD109270EB56B907BFF63733FDB
SHA-256:	5AC2047BFC75F4BF87B82C00720667A716BAB6D7C4DF5DA059129B5D5B0DD2BF
SHA-512:	110460301EDBBDCA459A3FC4223BD8C30C169AF47DB4BFA466DFE9789A5FE1813C1CA2DF163D3A82198BD794762D3339E0A5BA2AEC45E10E0B708955FE241198
Malicious:	false
Preview:	MDMP....... .........`...................U...........B......t&......GenuineIntelW...........T..........._.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF842.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.698829527938305
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNilU6fj6YJDSUacZZgmfZPSBCprd89bLPsfPtZm:RrlsNiG6fj6YdSUacZZgmfRSjL0fP6
MD5:	A0E276EED1D6DBFCE8D480F8F3449B32
SHA1:	B225F1BDAED285C408DDBC60C8676CBA1EBDE820
SHA-256:	0AEC53F74EE6C6F7B12668DA50C3B560AC8FBDAAED5769862C74CB09FD7A818F
SHA-512:	E359B8C20DE5DDEC8530992DB9FEF26A202076E6480C7FB3425DD09233AC0C823DD5482671509007FD64D108A7F4E2D358DF339B5BA0D2A631A845A5FBFA2480
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.0.<./.P.i.d.>.......

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	25168
Entropy (8bit):	4.975582086060887
Encrypted:	false
SSDEEP:	768:6BV3IpNBQkj2Lh4iUxQedNYotBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYoI:6BV3CNBQkj2Lh4iUxvdNYotBV3CNBQkx
MD5:	62E1AE94DE84ED9286704EBD6856A263
SHA1:	4888C4CFAA74FA9BCD7339CBF760B1060314246B
SHA-256:	9AC3E181F8EB940093EF7F212696338C30CD1407AF8ECB25610C39D6B00D4C43
SHA-512:	E99B7BA733C622C675AA7944338E994EE0D941663D812D702D986F4C162C4BC40FA2C837C6C761598B826A8CB7157DFBDDC20932B41B3D637209B3333BEEEB37
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ppcodrv.gyz.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1v0s3drz.b2l.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnck3iqu.cd0.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxa21zr3.o5a.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxvdofi2.t21.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uludn5pk.srf.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
MD5:	30D23CC577A89146961915B57F408623
SHA1:	9B5709D6081D8E0A570511E6E0AAE96FA041964F
SHA-256:	E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
SHA-512:	2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:2FNn:2FN
MD5:	B9BC5CD5EAF6A468D168FB442D2E8F9B
SHA1:	7353405914980EEF7C77A9B073F055A3A605A515
SHA-256:	8882268570AB664B41A35932220BB9CA45EB1FC1840433D086861B029055F325
SHA-512:	91D483A09B0924C53076BE4D8EA83A3CF882145A4802AAE50F3B9FF93261BABE34152EBA8568274CDA7355A73D28A0514878B22E47BB1EF47BCEBB28486D05B8
Malicious:	true
Preview:	.8..@..H

C:\Users\user\Documents\20210512\PowerShell_transcript.760639.0gogqNuT.20210512052206.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	5.409109800001059
Encrypted:	false
SSDEEP:	48:BZyvTL7oO+SWrCaqDYB1ZFWr8ZxvTL7oO+SWrCaqDYB1ZA:BZOTL7NQrNqDo1ZQr8Z9TL7NQrNqDo1m
MD5:	E721A80A2E19603A6D3D58612B752908
SHA1:	A879BA89D2D04B4495B6599F9EEBA7B1FFAFD810
SHA-256:	A9CC9D35C03DC87A11560A8C271CCB8753953073DBE34FB8C080D3B45E779EE9
SHA-512:	0FF90B271CDFEFAF5362FF2EEAE99ED3F01E4E762C5E69B5C5C37A23B0CD4033E31A66B3DB7B190886E5C30563780FB76EDC253CAEAAC8EC768EBF0AB4B5E711
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512052235..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..Process ID: 6884..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512052236..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..********************..Windows PowerShell transcript star

C:\Users\user\Documents\20210512\PowerShell_transcript.760639.6iHHi+Z_.20210512052205.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	5.404428336497538
Encrypted:	false
SSDEEP:	48:BZ1vTL7oO+SWrCjqDYB1ZqWr8ZhvTL7oO+SWrCjqDYB1ZA:BZ5TL7NQrQqDo1Zjr8ZNTL7NQrQqDo1m
MD5:	95CF25D28B6DD66BBD65DC6981EE268C
SHA1:	DD8240ABD38443DC2D1B842A4BE75D60ADAA04F6
SHA-256:	7DB258F10C5C48BD65DF0A3D7C796D2C79F493607A682309B8C3C50381B3FD69
SHA-512:	47C5F49146563B84CBF486828C6C78690F91DC8561C1BD45AAE272D2B1143632A0A41134096ACBB11F465D5463B80B744A40420C813BD25286644794E5729D47
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512052230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..Process ID: 6768..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512052231..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe -Force..********************..Windows PowerShell transcript star

C:\Users\user\Documents\20210512\PowerShell_transcript.760639.yQJTMGoZ.20210512052205.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5157
Entropy (8bit):	5.40281500495079
Encrypted:	false
SSDEEP:	96:BZ0TL7NT3qDo1ZQZMTL7NT3qDo1Zm4yQjZcTL7NT3qDo1ZKZA9:QXct
MD5:	C842B072D4CD14B613110323B78EEC3B
SHA1:	FD9727C0CA8A4AADA32EB9B2F8D6771A11A3C9F7
SHA-256:	4C877AB28F383BBD5FFD805D2F7108181C416BEC4592A20F5344A4789DF3B176
SHA-512:	D3C6238D1651F5E0D2DCD171E071474DB2FD88AE23B07F33A53084F7B4CF3A484F00D627589514812362ABEF3B237D232590AE5D572EEB3FB9564168416C0F3F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512052228..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\zUEBMx2U10.exe -Force..Process ID: 6792..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512052229..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\zUEBMx2U10.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210512053304..Username: computer\user..RunAs User: DESKTOP

C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3858432
Entropy (8bit):	2.557351272214791
Encrypted:	false
SSDEEP:	1536:cGEBIZ5HlFuxK0Roj0whXkyiaCVS1nKT+jQdvWxdisWf52MvAsqPqMxm/wr59vEZ:cx
MD5:	9B2B7ACC05E281C17F978028722B51E9
SHA1:	9316FF35C185DCF3C80C2C3AB2FF55FF1076652A
SHA-256:	92781FA0C501E4375F625A6E8379BBE8F0D7D42FD6699981233A044222E081D4
SHA-512:	BE7BA4787433FB3FABCBC66088553FB424A65DD1C654E23458805019A2E156B4296495AE044918A49F4DFB846CC646DB26DB34704C0F3B8218CE721D0A282B24
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 38%, Browse Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6..........."...0...:...........:.. ....;...@.. .......................@;...........@.................................d.:.W.....;...................... ;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc.........;.......:.............@..@.reloc....... ;.......:.............@..B..................:.....H.......8%..,.:..........$...............................................".(.....^..}.....(.......(........s....}......(...... ... ....s....( .....r..:po!....&.(......".......".(%....Vs....(&...t.............0...........s.....+........o.....*..0...........s.....s.....(.....+........r...po.... ....[..(.....(........(.....l.........,.+.....+.r...po....................o...........,.+....X......+..........%.. .o.........+I..........o...........,.+)..r..:p(........,.+....

C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\zUEBMx2U10.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.557351272214791
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zUEBMx2U10.exe
File size:	3858432
MD5:	9b2b7acc05e281c17f978028722b51e9
SHA1:	9316ff35c185dcf3c80c2c3ab2ff55ff1076652a
SHA256:	92781fa0c501e4375f625a6e8379bbe8f0d7d42fd6699981233a044222e081d4
SHA512:	be7ba4787433fb3fabcbc66088553fb424a65dd1c654e23458805019a2e156b4296495ae044918a49f4dfb846cc646db26db34704c0f3b8218ce721d0a282b24
SSDEEP:	1536:cGEBIZ5HlFuxK0Roj0whXkyiaCVS1nKT+jQdvWxdisWf52MvAsqPqMxm/wr59vEZ:cx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6..........."...0...:...........:.. ....;...@.. .......................@;...........@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x7af4be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8236B8BB [Fri Mar 25 00:05:15 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3af464	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b0000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3ad4c4	0x3ad600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3b0000	0x5c8	0x600	False	0.416015625	data	4.10885896675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3b00a0	0x33c	data
RT_MANIFEST	0x3b03dc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	firstoftheday.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	firstoftheday
ProductVersion	1.0.0.0
FileDescription	firstoftheday
OriginalFilename	firstoftheday.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 05:22:42.181093931 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:42.535836935 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:42.535957098 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:43.021526098 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:43.417398930 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:43.436244011 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:43.756023884 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:43.800909996 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:44.793487072 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.233567953 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.233639002 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.233707905 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.233779907 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.234361887 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.234433889 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.234456062 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.234580040 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.234647989 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.586976051 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587085009 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587116957 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587173939 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587271929 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587327003 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587449074 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587498903 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587587118 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587635994 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.587812901 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.587866068 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.588157892 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.588201046 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.588221073 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.588315010 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.903383970 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.903712034 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.903800011 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.903809071 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904248953 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904311895 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.904378891 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904501915 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904546976 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.904601097 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904938936 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.904989958 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.905092001 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905220032 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905270100 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.905327082 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905430079 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905477047 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.905534983 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905827045 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905874014 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.905886889 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:45.906181097 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:45.906239986 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.242923975 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.242954969 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.242966890 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243083000 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243138075 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243163109 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243175983 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243225098 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243271112 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243534088 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243556023 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243621111 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243680954 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243798971 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.243855953 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.243957996 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244070053 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244124889 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.244450092 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244504929 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244560957 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.244638920 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244755030 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.244810104 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.244966984 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245413065 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245475054 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.245563030 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245697021 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245743036 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.245847940 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.245954037 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246000051 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.246074915 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246160030 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246201992 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.246447086 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246548891 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246591091 CEST	49728	9090	192.168.2.6	185.19.85.140
May 12, 2021 05:22:46.246679068 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246911049 CEST	9090	49728	185.19.85.140	192.168.2.6
May 12, 2021 05:22:46.246929884 CEST	9090	49728	185.19.85.140	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 05:21:44.392151117 CEST	64267	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:44.454217911 CEST	53	64267	8.8.8.8	192.168.2.6
May 12, 2021 05:21:44.969283104 CEST	49448	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:45.019577026 CEST	53	49448	8.8.8.8	192.168.2.6
May 12, 2021 05:21:46.178647995 CEST	60342	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:46.227346897 CEST	53	60342	8.8.8.8	192.168.2.6
May 12, 2021 05:21:47.001123905 CEST	61346	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:47.049767017 CEST	53	61346	8.8.8.8	192.168.2.6
May 12, 2021 05:21:49.854787111 CEST	51774	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:49.905215979 CEST	53	51774	8.8.8.8	192.168.2.6
May 12, 2021 05:21:50.805028915 CEST	56023	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:50.857408047 CEST	53	56023	8.8.8.8	192.168.2.6
May 12, 2021 05:21:51.613993883 CEST	58384	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:51.662810087 CEST	53	58384	8.8.8.8	192.168.2.6
May 12, 2021 05:21:52.741713047 CEST	60261	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:52.790513992 CEST	53	60261	8.8.8.8	192.168.2.6
May 12, 2021 05:21:53.604362011 CEST	56061	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:53.655986071 CEST	53	56061	8.8.8.8	192.168.2.6
May 12, 2021 05:21:55.662966013 CEST	58336	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:55.711884022 CEST	53	58336	8.8.8.8	192.168.2.6
May 12, 2021 05:21:56.522459984 CEST	53781	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:56.579611063 CEST	53	53781	8.8.8.8	192.168.2.6
May 12, 2021 05:21:57.410602093 CEST	54064	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:57.471016884 CEST	53	54064	8.8.8.8	192.168.2.6
May 12, 2021 05:21:59.637209892 CEST	52811	53	192.168.2.6	8.8.8.8
May 12, 2021 05:21:59.686049938 CEST	53	52811	8.8.8.8	192.168.2.6
May 12, 2021 05:22:00.445169926 CEST	55299	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:00.493896961 CEST	53	55299	8.8.8.8	192.168.2.6
May 12, 2021 05:22:01.446686983 CEST	63745	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:01.495455980 CEST	53	63745	8.8.8.8	192.168.2.6
May 12, 2021 05:22:02.553551912 CEST	50055	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:02.605151892 CEST	53	50055	8.8.8.8	192.168.2.6
May 12, 2021 05:22:03.698920012 CEST	61374	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:03.750457048 CEST	53	61374	8.8.8.8	192.168.2.6
May 12, 2021 05:22:04.769795895 CEST	50339	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:04.823363066 CEST	53	50339	8.8.8.8	192.168.2.6
May 12, 2021 05:22:21.244643927 CEST	63307	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:21.316487074 CEST	53	63307	8.8.8.8	192.168.2.6
May 12, 2021 05:22:39.220978975 CEST	49694	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:39.281143904 CEST	53	49694	8.8.8.8	192.168.2.6
May 12, 2021 05:22:41.386811018 CEST	54982	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:41.613265038 CEST	53	54982	8.8.8.8	192.168.2.6
May 12, 2021 05:22:41.660953045 CEST	50010	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:41.719435930 CEST	53	50010	8.8.8.8	192.168.2.6
May 12, 2021 05:22:52.175230026 CEST	63718	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:52.397355080 CEST	53	63718	8.8.8.8	192.168.2.6
May 12, 2021 05:22:59.768373013 CEST	62116	53	192.168.2.6	8.8.8.8
May 12, 2021 05:22:59.830533028 CEST	53	62116	8.8.8.8	192.168.2.6
May 12, 2021 05:23:06.820121050 CEST	63816	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:06.891052008 CEST	53	63816	8.8.8.8	192.168.2.6
May 12, 2021 05:23:06.963944912 CEST	55014	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:07.023929119 CEST	53	55014	8.8.8.8	192.168.2.6
May 12, 2021 05:23:07.732428074 CEST	62208	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:07.837635040 CEST	53	62208	8.8.8.8	192.168.2.6
May 12, 2021 05:23:08.897435904 CEST	57574	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:09.001605034 CEST	53	57574	8.8.8.8	192.168.2.6
May 12, 2021 05:23:10.012686014 CEST	51818	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:10.069765091 CEST	53	51818	8.8.8.8	192.168.2.6
May 12, 2021 05:23:10.889924049 CEST	56628	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:10.947150946 CEST	53	56628	8.8.8.8	192.168.2.6
May 12, 2021 05:23:11.772455931 CEST	60778	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:11.829668999 CEST	53	60778	8.8.8.8	192.168.2.6
May 12, 2021 05:23:13.295650005 CEST	53799	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:13.358124971 CEST	53	53799	8.8.8.8	192.168.2.6
May 12, 2021 05:23:14.012598991 CEST	54683	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:14.071949959 CEST	53	54683	8.8.8.8	192.168.2.6
May 12, 2021 05:23:15.873629093 CEST	59329	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:15.933146954 CEST	53	59329	8.8.8.8	192.168.2.6
May 12, 2021 05:23:17.469090939 CEST	64021	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:17.528901100 CEST	53	64021	8.8.8.8	192.168.2.6
May 12, 2021 05:23:17.606360912 CEST	56129	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:17.657932997 CEST	53	56129	8.8.8.8	192.168.2.6
May 12, 2021 05:23:18.770546913 CEST	58177	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:18.830600023 CEST	53	58177	8.8.8.8	192.168.2.6
May 12, 2021 05:23:19.971337080 CEST	50700	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:20.028148890 CEST	53	50700	8.8.8.8	192.168.2.6
May 12, 2021 05:23:23.621001005 CEST	54069	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:23.678153038 CEST	53	54069	8.8.8.8	192.168.2.6
May 12, 2021 05:23:25.175764084 CEST	61178	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:25.248471975 CEST	53	61178	8.8.8.8	192.168.2.6
May 12, 2021 05:23:31.218559027 CEST	57017	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:31.284054995 CEST	53	57017	8.8.8.8	192.168.2.6
May 12, 2021 05:23:32.738291025 CEST	56327	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:32.798279047 CEST	53	56327	8.8.8.8	192.168.2.6
May 12, 2021 05:23:41.981621981 CEST	50243	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:42.208885908 CEST	53	50243	8.8.8.8	192.168.2.6
May 12, 2021 05:23:45.884076118 CEST	62055	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:45.943105936 CEST	53	62055	8.8.8.8	192.168.2.6
May 12, 2021 05:23:50.228087902 CEST	61249	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:50.285227060 CEST	53	61249	8.8.8.8	192.168.2.6
May 12, 2021 05:23:57.315285921 CEST	65252	53	192.168.2.6	8.8.8.8
May 12, 2021 05:23:57.539803028 CEST	53	65252	8.8.8.8	192.168.2.6
May 12, 2021 05:24:04.391263008 CEST	64367	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:04.439948082 CEST	53	64367	8.8.8.8	192.168.2.6
May 12, 2021 05:24:06.723969936 CEST	55066	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:06.800782919 CEST	53	55066	8.8.8.8	192.168.2.6
May 12, 2021 05:24:07.639086962 CEST	60211	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:07.707125902 CEST	53	60211	8.8.8.8	192.168.2.6
May 12, 2021 05:24:24.540781021 CEST	56570	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:24.598411083 CEST	53	56570	8.8.8.8	192.168.2.6
May 12, 2021 05:24:30.486408949 CEST	58454	53	192.168.2.6	8.8.8.8
May 12, 2021 05:24:30.535231113 CEST	53	58454	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 05:22:41.386811018 CEST	192.168.2.6	8.8.8.8	0x30b2	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:22:52.175230026 CEST	192.168.2.6	8.8.8.8	0xaef8	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:22:59.768373013 CEST	192.168.2.6	8.8.8.8	0x64d8	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:06.963944912 CEST	192.168.2.6	8.8.8.8	0xc4ed	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:17.469090939 CEST	192.168.2.6	8.8.8.8	0xdaf4	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:23.621001005 CEST	192.168.2.6	8.8.8.8	0x7abb	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:32.738291025 CEST	192.168.2.6	8.8.8.8	0xb97d	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:41.981621981 CEST	192.168.2.6	8.8.8.8	0x7ad	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:50.228087902 CEST	192.168.2.6	8.8.8.8	0x6bd9	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:23:57.315285921 CEST	192.168.2.6	8.8.8.8	0x1a0d	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)
May 12, 2021 05:24:24.540781021 CEST	192.168.2.6	8.8.8.8	0xf295	Standard query (0)	backupjuly.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 12, 2021 05:22:41.613265038 CEST	8.8.8.8	192.168.2.6	0x30b2	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:22:52.397355080 CEST	8.8.8.8	192.168.2.6	0xaef8	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:22:59.830533028 CEST	8.8.8.8	192.168.2.6	0x64d8	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:07.023929119 CEST	8.8.8.8	192.168.2.6	0xc4ed	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:17.528901100 CEST	8.8.8.8	192.168.2.6	0xdaf4	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:23.678153038 CEST	8.8.8.8	192.168.2.6	0x7abb	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:32.798279047 CEST	8.8.8.8	192.168.2.6	0xb97d	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:42.208885908 CEST	8.8.8.8	192.168.2.6	0x7ad	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:50.285227060 CEST	8.8.8.8	192.168.2.6	0x6bd9	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:23:57.539803028 CEST	8.8.8.8	192.168.2.6	0x1a0d	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)
May 12, 2021 05:24:24.598411083 CEST	8.8.8.8	192.168.2.6	0xf295	No error (0)	backupjuly.duckdns.org	185.19.85.140	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: zUEBMx2U10.exe PID: 6540 Parent PID: 5980

General

Start time:	05:21:52
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\zUEBMx2U10.exe'
Imagebase:	0xbc0000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.680956480.0000000006E35000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.651427825.00000000042A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: svchost.exe PID: 6644 Parent PID: 560

General

Start time:	05:21:56
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6768 Parent PID: 6540

General

Start time:	05:22:01
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6776 Parent PID: 6768

General

Start time:	05:22:02
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6792 Parent PID: 6540

General

Start time:	05:22:02
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zUEBMx2U10.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6844 Parent PID: 6792

General

Start time:	05:22:02
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6884 Parent PID: 6540

General

Start time:	05:22:02
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6940 Parent PID: 6884

General

Start time:	05:22:03
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7112 Parent PID: 6540

General

Start time:	05:22:06
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7148 Parent PID: 7112

General

Start time:	05:22:07
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 5784 Parent PID: 7112

General

Start time:	05:22:08
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xc00000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: zUEBMx2U10.exe PID: 2940 Parent PID: 6540

General

Start time:	05:22:14
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\zUEBMx2U10.exe
Imagebase:	0x330000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: svchost.exe PID: 6276 Parent PID: 3440

General

Start time:	05:22:16
Start date:	12/05/2021
Path:	C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Imagebase:	0xa60000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, Metadefender, Browse Detection: 76%, ReversingLabs
Reputation:	low

Analysis Process: zUEBMx2U10.exe PID: 3800 Parent PID: 6540

General

Start time:	05:22:18
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\zUEBMx2U10.exe
Imagebase:	0x1e0000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: svchost.exe PID: 6384 Parent PID: 560

General

Start time:	05:22:21
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: zUEBMx2U10.exe PID: 6516 Parent PID: 6540

General

Start time:	05:22:22
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\zUEBMx2U10.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\zUEBMx2U10.exe
Imagebase:	0xed0000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: svchost.exe PID: 6480 Parent PID: 3440

General

Start time:	05:22:24
Start date:	12/05/2021
Path:	C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe'
Imagebase:	0xb30000
File size:	3858432 bytes
MD5 hash:	9B2B7ACC05E281C17F978028722B51E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: svchost.exe PID: 6728 Parent PID: 560

General

Start time:	05:22:28
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 6680 Parent PID: 6728

General

Start time:	05:22:29
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6540 -ip 6540
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 6876 Parent PID: 6540

General

Start time:	05:22:30
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1760
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: svchost.exe PID: 6256 Parent PID: 560

General

Start time:	05:22:43
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 3224 Parent PID: 560

General

Start time:	05:23:04
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2276 Parent PID: 560

General

Start time:	05:23:19
Start date:	12/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 3624 Parent PID: 6276

General

Start time:	05:23:36
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 7044 Parent PID: 3624

General

Start time:	05:23:37
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 1768 Parent PID: 6276

General

Start time:	05:23:37
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\n24d78b7bgh77OZ2K111tT4aUZ16c1FC8fLd3d31Nr6\svchost.exe' -Force
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 4264 Parent PID: 1768

General

Start time:	05:23:38
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zUEBMx2U10.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior