Windows Analysis Report
mine327.exe

Overview

General Information

Sample name: mine327.exe
Analysis ID: 1417451
MD5: f3e70f68d7e2f644bcd312f1333094e1
SHA1: 259dd00ddb8a08fb149c37254bfb865a74bb11b9
SHA256: 6607d552accc951f2cd068bb394200987d7d1e90e34f8cdab3afe6e3ccedee4e
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Detected unpacking (creates a PE file in dynamic memory)
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Explorer Process Tree Break
Sigma detected: Uncommon Svchost Parent Process
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mine327.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: mine327.exe ReversingLabs: Detection: 69%
Source: mine327.exe Virustotal: Detection: 48% Perma Link
Machine Learning detection for sample
Source: mine327.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mine327.exe PID: 1436, type: MEMORYSTR

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Unpacked PE file: 16.2.oapavmkbdsqp.exe.280000.1.unpack
Source: mine327.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3fPwty0 source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ..pdb source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: :\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb.pdb source: mine327.exe, 00000000.00000002.377603583.000000000012A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb.pdb source: mine327.exe, 00000000.00000002.379248247.000000001B31E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscoree.pdbb source: WerFault.exe, 0000000A.00000002.372971964.000000000245F000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: mine327.exe, 00000000.00000000.333303562.0000000001292000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: al\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\Desktop\mine327.PDB source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\mine327.PDB source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000002.375318351.00000000026B8000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: 2wmine327.PDB source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: explorer.exe, 00000002.00000003.341979658.0000000000430000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, oapavmkbdsqp.exe, 00000010.00000002.409921933.00000000FF621000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: 8C:\Windows\Fallkyriya.pdb source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\Fallkyriya.pdbb4 source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: explorer.pdbP source: explorer.exe, 00000002.00000003.341979658.0000000000430000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000002.372971964.000000000245F000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb/ source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0057DCE0 FindFirstFileExW, 0_2_0057DCE0
Source: C:\Windows\System32\services.exe Code function: 6_2_001FDCE0 FindFirstFileExW, 6_2_001FDCE0
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_0248DCE0 FindFirstFileExW, 10_2_0248DCE0
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0098DCE0 FindFirstFileExW, 12_2_0098DCE0
Source: C:\Windows\System32\sc.exe Code function: 13_2_0016DCE0 FindFirstFileExW, 13_2_0016DCE0
Source: C:\Windows\System32\conhost.exe Code function: 15_2_0020DCE0 FindFirstFileExW, 15_2_0020DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0028DCE0 FindFirstFileExW, 16_2_0028DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002FDCE0 FindFirstFileExW, 16_2_002FDCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63F060 SHGetFolderPathEx,StrChrW,FindFirstFileW,PathRemoveFileSpecW,CompareStringOrdinal,lstrcmpiW,GetDesktopWindow,#292,FindNextFileW,FindClose, 16_2_FF63F060
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009CDCE0 FindFirstFileExW, 17_2_009CDCE0
Source: C:\Windows\System32\lsm.exe Code function: 19_2_0026DCE0 FindFirstFileExW, 19_2_0026DCE0
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006BDCE0 FindFirstFileExW, 20_2_006BDCE0
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014ADCE0 FindFirstFileExW, 22_2_014ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BCDCE0 FindFirstFileExW, 23_2_00BCDCE0
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A7DCE0 FindFirstFileExW, 24_2_00A7DCE0
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C6DCE0 FindFirstFileExW, 25_2_00C6DCE0
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002CDCE0 FindFirstFileExW, 26_2_002CDCE0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 4x nop then mov qword ptr [rsp+10h], rbx 16_2_FF625AF6
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 4x nop then mov rax, rsp 16_2_FF62611B
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 4x nop then mov qword ptr [rsp+08h], rbx 16_2_FF654044
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WerFault.exe, 0000000A.00000002.367143979.00000000003CF000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.00000000003C2000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: WerFault.exe, 0000000A.00000002.375602362.00000000039FE000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: WerFault.exe, 0000000A.00000002.367143979.00000000003CF000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.00000000003C2000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.342781591.000000000022B000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.603202980.000000000022B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.342781591.000000000022B000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.603202980.000000000022B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: svchost.exe, 00000016.00000000.345782413.0000000001FFC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.605131595.0000000001FFC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.com/win/2004/08/events
Source: svchost.exe, 00000019.00000000.346998279.0000000001FD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.608643399.0000000001FD6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WerFault.exe, 0000000A.00000002.375602362.00000000039FE000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 0000001F.00000002.606706574.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350097876.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.608288265.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350702735.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.606706574.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.604991513.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000001F.00000002.606706574.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350097876.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.608288265.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350702735.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.606706574.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.604991513.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000001F.00000000.350097876.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.604991513.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: svchost.exe, 00000018.00000002.603627532.0000000002668000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.346476637.0000000002668000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://update.googleapis.com/service/update2?cup2key=13:9PlIcYzJ7FuPKbYwS8xEdZ3KAlYn7hgULJcTQTtHhro
Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Contains functionality to record screenshots
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF650F00 GetDC,CreateCompatibleDC,GetClientRect,memset,CreateDIBSection,SelectObject,GdiAlphaBlend,SelectObject,DeleteObject,DeleteDC,ReleaseDC,GetClientRect,memset,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,BitBlt,GetObjectW,SelectObject,GdiAlphaBlend,SelectObject,DeleteDC, 16_2_FF650F00
Contains functionality to retrieve information about pressed keystrokes
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF69BF78 #479,SetForegroundWindow,SendMessageW,SendMessageW,SetForegroundWindow,GetAsyncKeyState,SendMessageW,#479,SetFocus, 16_2_FF69BF78
Potential key logger detected (key state polling based)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62F56C GetWindowRect,GetThemeBackgroundRegion,SendMessageW,NotifyWinEvent,GetFocus,GetKeyState,GetKeyState,GetKeyState,SendMessageW,NotifyWinEvent, 16_2_FF62F56C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF69C3C4 #618,#388,#60,GetKeyState,GetKeyState,GetKeyState,PostMessageW, 16_2_FF69C3C4
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_005728C8 NtEnumerateValueKey,NtEnumerateValueKey, 0_2_005728C8
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6E460 NtUnmapViewOfSection, 0_2_000007FE93D6E460
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6FEF4 NtUnmapViewOfSection, 0_2_000007FE93D6FEF4
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6FE1A NtUnmapViewOfSection, 0_2_000007FE93D6FE1A
Source: C:\Windows\explorer.exe Code function: 2_2_0000000140001394 NtAlpcConnectPort, 2_2_0000000140001394
Source: C:\Windows\System32\dialer.exe Code function: 3_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, 3_2_00000001400010C0
Source: C:\Windows\System32\services.exe Code function: 6_2_001F2244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, 6_2_001F2244
Source: C:\Windows\System32\services.exe Code function: 6_2_001F2330 NtQueryDirectoryFile,GetFileType,StrCpyW, 6_2_001F2330
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_02482244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, 10_2_02482244
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_02482330 NtQueryDirectoryFile,GetFileType,StrCpyW, 10_2_02482330
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_0248202C NtQuerySystemInformation,StrCmpNIW, 10_2_0248202C
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_009828C8 NtEnumerateValueKey,NtEnumerateValueKey, 12_2_009828C8
Source: C:\Windows\System32\sc.exe Code function: 13_2_001628C8 NtEnumerateValueKey,NtEnumerateValueKey, 13_2_001628C8
Source: C:\Windows\System32\sc.exe Code function: 13_2_00162244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, 13_2_00162244
Source: C:\Windows\System32\sc.exe Code function: 13_2_00162B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW, 13_2_00162B2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0028202C NtQuerySystemInformation,StrCmpNIW, 16_2_0028202C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002828C8 NtEnumerateValueKey,NtEnumerateValueKey, 16_2_002828C8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_00282244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, 16_2_00282244
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_00282B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW, 16_2_00282B2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64BC40 GetCommandLineW,PathGetArgsW,GetCurrentProcess,NtQueryInformationProcess,memset,#155, 16_2_FF64BC40
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63FD40 ResumeThread,GetPriorityClass,GetLastError,NtQueryInformationProcess,NtQueryInformationProcess,AssignProcessToJobObject,GetLastError, 16_2_FF63FD40
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63ED28 GetShellWindow,CoCreateInstance,CreateEventW,SetEvent,memset,NtSetSystemInformation,GetCurrentThreadId,SetTimer, 16_2_FF63ED28
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF696DE0 SetPriorityClass,GetLastError,NtSetInformationProcess,NtSetInformationProcess, 16_2_FF696DE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64A550 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtQueryInformationToken, 16_2_FF64A550
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009C202C NtQuerySystemInformation,StrCmpNIW, 17_2_009C202C
Source: C:\Windows\System32\lsm.exe Code function: 19_2_002628C8 NtEnumerateValueKey,NtEnumerateValueKey, 19_2_002628C8
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014A202C NtQuerySystemInformation,StrCmpNIW, 22_2_014A202C
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C62330 NtQueryDirectoryFile,GetFileType,StrCpyW, 25_2_00C62330
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\sc.exe Code function: 13_2_00162B2C: NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW, 13_2_00162B2C
Contains functionality to shutdown / reboot the system
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, CleanShutdown 16_2_FF64020C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, CleanShutdown 16_2_FF64020C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, CleanShutdown 16_2_FF64020C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: GetWindowsDirectoryW,PathCombineW,memset,ShellExecuteExW, /Reboot Shutdown 16_2_FF698DE8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF621364 DefWindowProcW,#479,SetLastError,EnumChildWindows,#158,#158,BeginPaint,PostMessageW,GetClientRect,IsCompositionActive,#197,DrawThemeBackground,#8,#9,#10,PostMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,#479,LoadCursorW,SetCursor,UpdateWindow,GetClientRect,GetClipBox,IsCompositionActive,#197,DrawThemeBackground,EndPaint,#4,EnumDisplayMonitors,EnumChildWindows,EnumChildWindows,SendMessageW,#100,SendMessageW,SendMessageW,GetDoubleClickTime,TrackMouseEvent,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetTimer,LoadCursorW,SetCursor,#127,EnumDisplayMonitors,ShowWindow,ShowWindow,DestroyWindow,GetClientRect,MapWindowPoints,PtInRect,PtInRect,PtInRect,PtInRect,GetWindowRect,GetMessagePos,PtInRect,DefWindowProcW,InflateRect,SendMessageW,SendMessageW,SendMessageW,GetFocus,#204,#165,GetSystemMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,SendMessageW,#165,KillTimer,SendMessageW,PostMessageW,SendMessageW,GetCursorPos,GetSystemMetrics,GetSystemMetrics,InflateRect,SendMessageW,SendMessageW,FillRect,MapWindowPoints,InflateRect,DrawEdge,GlobalGetAtomNameW,#190,UnregisterHotKey,#388,SetWindowPos,CoMarshalInterThreadInterfaceInStream,ExitWindowsEx,PostMessageW,PostMessageW, 16_2_FF621364
Creates files inside the system directory
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0054D0E0 0_2_0054D0E0
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_005538A8 0_2_005538A8
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00541F2C 0_2_00541F2C
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0057DCE0 0_2_0057DCE0
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_005844A8 0_2_005844A8
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00572B2C 0_2_00572B2C
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D5FC20 0_2_000007FE93D5FC20
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6A3C5 0_2_000007FE93D6A3C5
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D5A9B0 0_2_000007FE93D5A9B0
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D5A9B8 0_2_000007FE93D5A9B8
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D5D8C9 0_2_000007FE93D5D8C9
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D667DA 0_2_000007FE93D667DA
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D55EDC 0_2_000007FE93D55EDC
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D606E0 0_2_000007FE93D606E0
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D54670 0_2_000007FE93D54670
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D5DD58 0_2_000007FE93D5DD58
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6BD38 0_2_000007FE93D6BD38
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6CCEE 0_2_000007FE93D6CCEE
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D6220A 0_2_000007FE93D6220A
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D510D0 0_2_000007FE93D510D0
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D51098 0_2_000007FE93D51098
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D69E84 0_2_000007FE93D69E84
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93E50E25 0_2_000007FE93E50E25
Source: C:\Windows\explorer.exe Code function: 2_2_0000000140003B30 2_2_0000000140003B30
Source: C:\Windows\System32\dialer.exe Code function: 3_2_000000014000226C 3_2_000000014000226C
Source: C:\Windows\System32\dialer.exe Code function: 3_2_00000001400014D8 3_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe Code function: 3_2_0000000140002560 3_2_0000000140002560
Source: C:\Windows\System32\services.exe Code function: 6_2_001D38A8 6_2_001D38A8
Source: C:\Windows\System32\services.exe Code function: 6_2_001CD0E0 6_2_001CD0E0
Source: C:\Windows\System32\services.exe Code function: 6_2_001C1F2C 6_2_001C1F2C
Source: C:\Windows\System32\services.exe Code function: 6_2_002044A8 6_2_002044A8
Source: C:\Windows\System32\services.exe Code function: 6_2_001FDCE0 6_2_001FDCE0
Source: C:\Windows\System32\services.exe Code function: 6_2_001F2B2C 6_2_001F2B2C
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_02482B2C 10_2_02482B2C
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_0248DCE0 10_2_0248DCE0
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_024944A8 10_2_024944A8
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_009638A8 12_2_009638A8
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0095D0E0 12_2_0095D0E0
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_00951F2C 12_2_00951F2C
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_009944A8 12_2_009944A8
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0098DCE0 12_2_0098DCE0
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_00982B2C 12_2_00982B2C
Source: C:\Windows\System32\sc.exe Code function: 13_2_001438A8 13_2_001438A8
Source: C:\Windows\System32\sc.exe Code function: 13_2_0013D0E0 13_2_0013D0E0
Source: C:\Windows\System32\sc.exe Code function: 13_2_00131F2C 13_2_00131F2C
Source: C:\Windows\System32\sc.exe Code function: 13_2_00162B2C 13_2_00162B2C
Source: C:\Windows\System32\sc.exe Code function: 13_2_001744A8 13_2_001744A8
Source: C:\Windows\System32\sc.exe Code function: 13_2_0016DCE0 13_2_0016DCE0
Source: C:\Windows\System32\conhost.exe Code function: 15_2_001E38A8 15_2_001E38A8
Source: C:\Windows\System32\conhost.exe Code function: 15_2_001DD0E0 15_2_001DD0E0
Source: C:\Windows\System32\conhost.exe Code function: 15_2_001D1F2C 15_2_001D1F2C
Source: C:\Windows\System32\conhost.exe Code function: 15_2_002144A8 15_2_002144A8
Source: C:\Windows\System32\conhost.exe Code function: 15_2_0020DCE0 15_2_0020DCE0
Source: C:\Windows\System32\conhost.exe Code function: 15_2_00202B2C 15_2_00202B2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_000F38A8 16_2_000F38A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_000ED0E0 16_2_000ED0E0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_000E1F2C 16_2_000E1F2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_00282B2C 16_2_00282B2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002944A8 16_2_002944A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0028DCE0 16_2_0028DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002D38A8 16_2_002D38A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002CD0E0 16_2_002CD0E0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002C1F2C 16_2_002C1F2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_003044A8 16_2_003044A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002FDCE0 16_2_002FDCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002F2B2C 16_2_002F2B2C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF696FCC 16_2_FF696FCC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64020C 16_2_FF64020C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65CF70 16_2_FF65CF70
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF631F58 16_2_FF631F58
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF662F20 16_2_FF662F20
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF646FC0 16_2_FF646FC0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6C6FB8 16_2_FF6C6FB8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF644FBC 16_2_FF644FBC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF69EF9C 16_2_FF69EF9C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF655E78 16_2_FF655E78
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF640E24 16_2_FF640E24
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A9E9C 16_2_FF6A9E9C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF652D48 16_2_FF652D48
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF643D54 16_2_FF643D54
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6C0D30 16_2_FF6C0D30
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF630D00 16_2_FF630D00
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF647DA0 16_2_FF647DA0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF678D90 16_2_FF678D90
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF631C1C 16_2_FF631C1C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62BCCC 16_2_FF62BCCC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF635CD0 16_2_FF635CD0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65DCA8 16_2_FF65DCA8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF641B7C 16_2_FF641B7C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A5BE8 16_2_FF6A5BE8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A0BF0 16_2_FF6A0BF0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF636BD4 16_2_FF636BD4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65FBA0 16_2_FF65FBA0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64FBB0 16_2_FF64FBB0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62AB88 16_2_FF62AB88
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66AB94 16_2_FF66AB94
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62AA70 16_2_FF62AA70
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF626A40 16_2_FF626A40
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF676A54 16_2_FF676A54
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF638AF0 16_2_FF638AF0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF652AC0 16_2_FF652AC0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A3ADC 16_2_FF6A3ADC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64BAA0 16_2_FF64BAA0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65CAA0 16_2_FF65CAA0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66EAB0 16_2_FF66EAB0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6C893C 16_2_FF6C893C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF622904 16_2_FF622904
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6AA910 16_2_FF6AA910
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6439D8 16_2_FF6439D8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF69A81C 16_2_FF69A81C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62A8E8 16_2_FF62A8E8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A88D0 16_2_FF6A88D0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A98A8 16_2_FF6A98A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65D8B0 16_2_FF65D8B0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63F8B4 16_2_FF63F8B4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF697888 16_2_FF697888
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65F750 16_2_FF65F750
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63B75C 16_2_FF63B75C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65E720 16_2_FF65E720
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66A720 16_2_FF66A720
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF624708 16_2_FF624708
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF657708 16_2_FF657708
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6377D6 16_2_FF6377D6
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A47A8 16_2_FF6A47A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63A7BC 16_2_FF63A7BC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65A664 16_2_FF65A664
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62E670 16_2_FF62E670
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A1654 16_2_FF6A1654
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF623604 16_2_FF623604
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF646618 16_2_FF646618
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66B6F0 16_2_FF66B6F0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64D6A0 16_2_FF64D6A0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65169C 16_2_FF65169C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62F56C 16_2_FF62F56C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B157C 16_2_FF6B157C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6585A0 16_2_FF6585A0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6215B4 16_2_FF6215B4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF655468 16_2_FF655468
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62E478 16_2_FF62E478
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66C450 16_2_FF66C450
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63E45C 16_2_FF63E45C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6AA434 16_2_FF6AA434
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62241C 16_2_FF62241C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A24D8 16_2_FF6A24D8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66B488 16_2_FF66B488
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63F48C 16_2_FF63F48C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF652360 16_2_FF652360
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF621364 16_2_FF621364
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65B328 16_2_FF65B328
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A6334 16_2_FF6A6334
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF646308 16_2_FF646308
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF629310 16_2_FF629310
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6BC3E0 16_2_FF6BC3E0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6483A8 16_2_FF6483A8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64939C 16_2_FF64939C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62C2AC 16_2_FF62C2AC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF69B110 16_2_FF69B110
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63A1E8 16_2_FF63A1E8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62C1D0 16_2_FF62C1D0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62D0C8 16_2_FF62D0C8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65E0B0 16_2_FF65E0B0
Source: C:\Windows\System32\lsass.exe Code function: 17_2_001038A8 17_2_001038A8
Source: C:\Windows\System32\lsass.exe Code function: 17_2_000FD0E0 17_2_000FD0E0
Source: C:\Windows\System32\lsass.exe Code function: 17_2_000F1F2C 17_2_000F1F2C
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009D44A8 17_2_009D44A8
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009CDCE0 17_2_009CDCE0
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009C2B2C 17_2_009C2B2C
Source: C:\Windows\System32\lsm.exe Code function: 19_2_001C38A8 19_2_001C38A8
Source: C:\Windows\System32\lsm.exe Code function: 19_2_001BD0E0 19_2_001BD0E0
Source: C:\Windows\System32\lsm.exe Code function: 19_2_001B1F2C 19_2_001B1F2C
Source: C:\Windows\System32\lsm.exe Code function: 19_2_002744A8 19_2_002744A8
Source: C:\Windows\System32\lsm.exe Code function: 19_2_0026DCE0 19_2_0026DCE0
Source: C:\Windows\System32\lsm.exe Code function: 19_2_00262B2C 19_2_00262B2C
Source: C:\Windows\System32\svchost.exe Code function: 20_2_0068D0E0 20_2_0068D0E0
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006938A8 20_2_006938A8
Source: C:\Windows\System32\svchost.exe Code function: 20_2_00681F2C 20_2_00681F2C
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006BDCE0 20_2_006BDCE0
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006C44A8 20_2_006C44A8
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006B2B2C 20_2_006B2B2C
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014ADCE0 22_2_014ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014B44A8 22_2_014B44A8
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014A2B2C 22_2_014A2B2C
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BD44A8 23_2_00BD44A8
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BCDCE0 23_2_00BCDCE0
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BC2B2C 23_2_00BC2B2C
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A844A8 24_2_00A844A8
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A7DCE0 24_2_00A7DCE0
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A72B2C 24_2_00A72B2C
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C6DCE0 25_2_00C6DCE0
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C744A8 25_2_00C744A8
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C62B2C 25_2_00C62B2C
Source: C:\Windows\System32\svchost.exe Code function: 26_2_001238A8 26_2_001238A8
Source: C:\Windows\System32\svchost.exe Code function: 26_2_0011D0E0 26_2_0011D0E0
Source: C:\Windows\System32\svchost.exe Code function: 26_2_00111F2C 26_2_00111F2C
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002D44A8 26_2_002D44A8
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002CDCE0 26_2_002CDCE0
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002C2B2C 26_2_002C2B2C
Found potential string decryption / allocating functions
Source: C:\Windows\explorer.exe Code function: String function: 0000000140001394 appears 32 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1436 -s 724
PE file does not import any functions
Source: mine327.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: mine327.exe, 00000000.00000000.333307470.000000000129A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUkedopegude> vs mine327.exe
Source: mine327.exe, 00000000.00000002.377603583.00000000000CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs mine327.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\mine327.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\dialer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\dialer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\sc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\sc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\sc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\sc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: duser.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: dui70.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: slc.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: secur32.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: winsta.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasman.dll Jump to behavior
Source: classification engine Classification label: mal100.expl.evad.winEXE@23/1@0/0
Source: C:\Windows\System32\dialer.exe Code function: 3_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx, 3_2_000000014000226C
Source: C:\Windows\System32\dialer.exe Code function: 3_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString, 3_2_00000001400019C4
Source: C:\Windows\System32\dialer.exe Code function: 3_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx, 3_2_000000014000226C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B9DF0 OpenSCManagerW,GetLastError,OpenServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle, 16_2_FF6B9DF0
Source: C:\Users\user\Desktop\mine327.exe File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1436
Source: C:\Windows\System32\WerFault.exe File created: C:\Users\user\AppData\Local\Temp\WER6893.tmp Jump to behavior
Source: C:\Windows\System32\sc.exe Console Write: .................0E.....................(.P.....8.......H.......................................................................$............... Jump to behavior
Source: C:\Windows\System32\sc.exe Console Write: ............:....1..............[.S.C.]. .C.r.e.a.t.e.S.e.r.v.i.c.e. .S.U.C.C.E.S.S..............97.............h.......8....................... Jump to behavior
Source: C:\Windows\System32\sc.exe Console Write: .................^......................(.P.....................H...............................$............................................... Jump to behavior
Source: C:\Windows\System32\sc.exe Console Write: ................0.4.....................(.P.....h...............<........7......................"............................................... Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\mine327.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: mine327.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: svchost.exe, 00000019.00000002.609571037.000000000366F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.347207490.0000000003658000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99;
Source: svchost.exe, 00000019.00000002.609571037.00000000036C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.347207490.00000000036C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: select * from __SystemEvent;
Source: mine327.exe ReversingLabs: Detection: 69%
Source: mine327.exe Virustotal: Detection: 48%
Source: C:\Users\user\Desktop\mine327.exe File read: C:\Users\user\Desktop\mine327.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mine327.exe "C:\Users\user\Desktop\mine327.exe"
Source: C:\Users\user\Desktop\mine327.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe "139732321118494632871898021326457884-543674567-14929065572102852035-708161083"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"
Source: C:\Windows\System32\services.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1436 -s 724
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GVKQGWZS"
Source: C:\Windows\System32\dialer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe "-1634546190-146323334895602099619948307862079476161-1963036748880124969-1741426452"
Source: C:\Windows\System32\services.exe Process created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Users\user\Desktop\mine327.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GVKQGWZS" Jump to behavior
Source: C:\Windows\System32\services.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup Jump to behavior
Source: C:\Windows\System32\services.exe Process created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1436 -s 724 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: mine327.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: mine327.exe Static file information: File size 3249284 > 1048576
Source: mine327.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: mine327.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: .assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3fPwty0 source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ..pdb source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: :\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb.pdb source: mine327.exe, 00000000.00000002.377603583.000000000012A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb.pdb source: mine327.exe, 00000000.00000002.379248247.000000001B31E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscoree.pdbb source: WerFault.exe, 0000000A.00000002.372971964.000000000245F000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: mine327.exe, 00000000.00000000.333303562.0000000001292000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: al\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\Desktop\mine327.PDB source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\mine327.PDB source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000002.375318351.00000000026B8000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: 2wmine327.PDB source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: explorer.exe, 00000002.00000003.341979658.0000000000430000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, oapavmkbdsqp.exe, 00000010.00000002.409921933.00000000FF621000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: 8C:\Windows\Fallkyriya.pdb source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\Fallkyriya.pdbb4 source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: explorer.pdbP source: explorer.exe, 00000002.00000003.341979658.0000000000430000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000002.372971964.000000000245F000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb/ source: mine327.exe, 00000000.00000002.377689220.00000000002E2000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Unpacked PE file: 16.2.oapavmkbdsqp.exe.280000.1.unpack
Binary contains a suspicious time stamp
Source: mine327.exe Static PE information: 0xFC4D4CA1 [Wed Feb 20 04:18:41 2104 UTC]
Contains functionality to dynamically determine API calls
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64020C RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, 16_2_FF64020C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0055ACDD push rcx; retf 003Fh 0_2_0055ACDE
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0058C6DD push rcx; retf 003Fh 0_2_0058C6DE
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D5DD58 push eax; retf 0_2_000007FE93D5E039
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D500BD pushad ; iretd 0_2_000007FE93D500C1
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D51E6D pushad ; retf 0_2_000007FE93D51E81
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93D505F5 pushad ; retf 0_2_000007FE93D505F9
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_000007FE93E5026B push esp; retf 4810h 0_2_000007FE93E50312
Source: C:\Windows\explorer.exe Code function: 2_2_0000000140001394 push qword ptr [000000014000A004h]; ret 2_2_0000000140001403
Source: C:\Windows\System32\services.exe Code function: 6_2_001DACDD push rcx; retf 003Fh 6_2_001DACDE
Source: C:\Windows\System32\services.exe Code function: 6_2_0020C6DD push rcx; retf 003Fh 6_2_0020C6DE
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_0249C6DD push rcx; retf 003Fh 10_2_0249C6DE
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0096ACDD push rcx; retf 003Fh 12_2_0096ACDE
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0099C6DD push rcx; retf 003Fh 12_2_0099C6DE
Source: C:\Windows\System32\sc.exe Code function: 13_2_0014ACDD push rcx; retf 003Fh 13_2_0014ACDE
Source: C:\Windows\System32\sc.exe Code function: 13_2_0017C6DD push rcx; retf 003Fh 13_2_0017C6DE
Source: C:\Windows\System32\conhost.exe Code function: 15_2_001EACDD push rcx; retf 003Fh 15_2_001EACDE
Source: C:\Windows\System32\conhost.exe Code function: 15_2_0021C6DD push rcx; retf 003Fh 15_2_0021C6DE
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_000FACDD push rcx; retf 003Fh 16_2_000FACDE
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0029C6DD push rcx; retf 003Fh 16_2_0029C6DE
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002DACDD push rcx; retf 003Fh 16_2_002DACDE
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0030C6DD push rcx; retf 003Fh 16_2_0030C6DE
Source: C:\Windows\System32\lsass.exe Code function: 17_2_0010ACDD push rcx; retf 003Fh 17_2_0010ACDE
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009DC6DD push rcx; retf 003Fh 17_2_009DC6DE
Source: C:\Windows\System32\lsm.exe Code function: 19_2_001CACDD push rcx; retf 003Fh 19_2_001CACDE
Source: C:\Windows\System32\lsm.exe Code function: 19_2_0027C6DD push rcx; retf 003Fh 19_2_0027C6DE
Source: C:\Windows\System32\svchost.exe Code function: 20_2_0069ACDD push rcx; retf 003Fh 20_2_0069ACDE
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006CC6DD push rcx; retf 003Fh 20_2_006CC6DE
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014BC6DD push rcx; retf 003Fh 22_2_014BC6DE
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BDC6DD push rcx; retf 003Fh 23_2_00BDC6DE
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A8C6DD push rcx; retf 003Fh 24_2_00A8C6DE
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C7C6DD push rcx; retf 003Fh 25_2_00C7C6DE

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl Jump to behavior
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\explorer.exe File created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Jump to dropped file
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64BCF8 GetModuleFileNameW,PathFindFileNameW,GetPrivateProfileStringW,PathRemoveArgsW,PathRemoveBlanksW,PathFindFileNameW,lstrlenW,StrCmpNIW,#158, 16_2_FF64BCF8
Creates or modifies windows services
Source: C:\Windows\System32\services.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GVKQGWZS Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B9DF0 OpenSCManagerW,GetLastError,OpenServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle, 16_2_FF6B9DF0
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF675F80 IsWindowVisible,IsIconic,IsWindowEnabled,GetWindowLongW,GetSystemMenu,GetMenuState, 16_2_FF675F80
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF664D94 SendMessageW,SendMessageW,GetAncestor,GetLastActivePopup,IsIconic,IsWindowEnabled,SwitchToThisWindow,IsWindowVisible,IsWindowEnabled,GetWindow,IsIconic,ShowWindowAsync, 16_2_FF664D94
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF664D94 SendMessageW,SendMessageW,GetAncestor,GetLastActivePopup,IsIconic,IsWindowEnabled,SwitchToThisWindow,IsWindowVisible,IsWindowEnabled,GetWindow,IsIconic,ShowWindowAsync, 16_2_FF664D94
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62ACE8 IsIconic, 16_2_FF62ACE8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF664CFC IsWindow,IsIconic,GetForegroundWindow,ShowWindowAsync,PostMessageW, 16_2_FF664CFC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65BB9C ShowWindow,IsIconic,SendMessageW,PostMessageW,PostMessageW,EventEnabled, 16_2_FF65BB9C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF676530 ShowWindow,IsIconic,SendMessageW,PostMessageW,PostMessageW,IsCompositionActive, 16_2_FF676530
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65F410 IsIconic,GetWindowLongW,IsWindowVisible, 16_2_FF65F410
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65B328 GetMonitorInfoW,IntersectRect,SetPropW,GetModuleHandleW,LoadIconW,SendMessageW,#100,SHGetKnownFolderIDList,#155,RemovePropW,DestroyWindow,SystemParametersInfoW,OffsetRect,IsIconic,GetCurrentProcessId,SendMessageTimeoutW,GetCurrentProcessId,#8,#9,GetCurrentProcessId,#10, 16_2_FF65B328
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65F3D3 IsIconic,GetWindowLongW, 16_2_FF65F3D3
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\services.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\services.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\services.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\services.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\services.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: mine327.exe PID: 1436, type: MEMORYSTR
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dialer.exe Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, 3_2_00000001400010C0
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\mine327.exe Memory allocated: 1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory allocated: DC0000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\dialer.exe Window / User API: threadDelayed 917 Jump to behavior
Source: C:\Windows\System32\services.exe Window / User API: threadDelayed 7129 Jump to behavior
Source: C:\Windows\System32\services.exe Window / User API: threadDelayed 1873 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 7690 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 901 Jump to behavior
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 5563 Jump to behavior
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 3625 Jump to behavior
Source: C:\Windows\System32\lsm.exe Window / User API: threadDelayed 5071 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 6772 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 6568 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 3236 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 2293 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 5696 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 3706 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 2268
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 5480
Source: C:\Windows\System32\spoolsv.exe Window / User API: threadDelayed 4975
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 2279
Source: C:\Windows\System32\dwm.exe Window / User API: threadDelayed 5066
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9733
Source: C:\Windows\System32\UI0Detect.exe Window / User API: threadDelayed 2826
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 2262
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Window / User API: threadDelayed 1931
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dialer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\explorer.exe API coverage: 3.6 %
Source: C:\Windows\System32\conhost.exe API coverage: 9.1 %
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe API coverage: 1.9 %
Source: C:\Windows\System32\lsass.exe API coverage: 9.2 %
Source: C:\Windows\System32\svchost.exe API coverage: 7.7 %
Source: C:\Windows\System32\svchost.exe API coverage: 7.6 %
Source: C:\Windows\System32\svchost.exe API coverage: 7.5 %
Source: C:\Windows\System32\svchost.exe API coverage: 7.7 %
Source: C:\Windows\System32\svchost.exe API coverage: 8.6 %
Source: C:\Windows\System32\svchost.exe API coverage: 7.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\dialer.exe TID: 1036 Thread sleep count: 917 > 30 Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 1036 Thread sleep time: -91700s >= -30000s Jump to behavior
Source: C:\Windows\System32\services.exe TID: 2912 Thread sleep count: 7129 > 30 Jump to behavior
Source: C:\Windows\System32\services.exe TID: 2912 Thread sleep time: -7129000s >= -30000s Jump to behavior
Source: C:\Windows\System32\services.exe TID: 2912 Thread sleep count: 1873 > 30 Jump to behavior
Source: C:\Windows\System32\services.exe TID: 2912 Thread sleep time: -1873000s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1292 Thread sleep count: 7690 > 30 Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1292 Thread sleep time: -7690000s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1292 Thread sleep count: 901 > 30 Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1292 Thread sleep time: -901000s >= -30000s Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe TID: 2008 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 1416 Thread sleep count: 5563 > 30 Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 1416 Thread sleep time: -5563000s >= -30000s Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 1416 Thread sleep count: 3625 > 30 Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 1416 Thread sleep time: -3625000s >= -30000s Jump to behavior
Source: C:\Windows\System32\lsm.exe TID: 1200 Thread sleep count: 5071 > 30 Jump to behavior
Source: C:\Windows\System32\lsm.exe TID: 1200 Thread sleep time: -5071000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2572 Thread sleep count: 6772 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2572 Thread sleep time: -6772000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2436 Thread sleep count: 6568 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2436 Thread sleep time: -6568000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2228 Thread sleep count: 3236 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2228 Thread sleep time: -3236000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1736 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2924 Thread sleep count: 2293 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2924 Thread sleep time: -2293000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2872 Thread sleep count: 5696 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2872 Thread sleep time: -5696000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2172 Thread sleep count: 3706 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2172 Thread sleep time: -3706000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 264 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2260 Thread sleep count: 2268 > 30
Source: C:\Windows\System32\svchost.exe TID: 2260 Thread sleep time: -2268000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2728 Thread sleep count: 5480 > 30
Source: C:\Windows\System32\svchost.exe TID: 2728 Thread sleep time: -5480000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 2192 Thread sleep count: 4975 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 2192 Thread sleep time: -4975000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3076 Thread sleep count: 2279 > 30
Source: C:\Windows\System32\svchost.exe TID: 3076 Thread sleep time: -2279000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 3084 Thread sleep count: 5066 > 30
Source: C:\Windows\System32\dwm.exe TID: 3084 Thread sleep time: -5066000s >= -30000s
Source: C:\Windows\explorer.exe TID: 3100 Thread sleep count: 9733 > 30
Source: C:\Windows\explorer.exe TID: 3100 Thread sleep time: -9733000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1340 Thread sleep time: -420000s >= -30000s
Source: C:\Windows\System32\UI0Detect.exe TID: 3116 Thread sleep count: 2826 > 30
Source: C:\Windows\System32\UI0Detect.exe TID: 3116 Thread sleep time: -2826000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 1876 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3152 Thread sleep count: 2262 > 30
Source: C:\Windows\System32\svchost.exe TID: 3152 Thread sleep time: -2262000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 3160 Thread sleep count: 1931 > 30
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 3160 Thread sleep time: -1931000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 2808 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 2208 Thread sleep time: -120000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\dialer.exe Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe Last function: Thread delayed
Source: C:\Windows\System32\services.exe Last function: Thread delayed
Source: C:\Windows\System32\services.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF652F95 GetLocalTime followed by cmp: cmp eax, 01h and CTI: jne FF6551F6h 16_2_FF652F95
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63E858 GetLocalTime followed by cmp: cmp di, 000ch and CTI: jbe FF680741h 16_2_FF63E858
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66D630 GetSystemTimeAsFileTime followed by cmp: cmp al, 04h and CTI: jc FF68D097h 16_2_FF66D630
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0057DCE0 FindFirstFileExW, 0_2_0057DCE0
Source: C:\Windows\System32\services.exe Code function: 6_2_001FDCE0 FindFirstFileExW, 6_2_001FDCE0
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_0248DCE0 FindFirstFileExW, 10_2_0248DCE0
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0098DCE0 FindFirstFileExW, 12_2_0098DCE0
Source: C:\Windows\System32\sc.exe Code function: 13_2_0016DCE0 FindFirstFileExW, 13_2_0016DCE0
Source: C:\Windows\System32\conhost.exe Code function: 15_2_0020DCE0 FindFirstFileExW, 15_2_0020DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0028DCE0 FindFirstFileExW, 16_2_0028DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002FDCE0 FindFirstFileExW, 16_2_002FDCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63F060 SHGetFolderPathEx,StrChrW,FindFirstFileW,PathRemoveFileSpecW,CompareStringOrdinal,lstrcmpiW,GetDesktopWindow,#292,FindNextFileW,FindClose, 16_2_FF63F060
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009CDCE0 FindFirstFileExW, 17_2_009CDCE0
Source: C:\Windows\System32\lsm.exe Code function: 19_2_0026DCE0 FindFirstFileExW, 19_2_0026DCE0
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006BDCE0 FindFirstFileExW, 20_2_006BDCE0
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014ADCE0 FindFirstFileExW, 22_2_014ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BCDCE0 FindFirstFileExW, 23_2_00BCDCE0
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A7DCE0 FindFirstFileExW, 24_2_00A7DCE0
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C6DCE0 FindFirstFileExW, 25_2_00C6DCE0
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002CDCE0 FindFirstFileExW, 26_2_002CDCE0
Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual Platform
Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 35 04 92 67 3a 19 1e-bc 53 01 84 57 2e e5 5c
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
Source: svchost.exe, 00000014.00000000.343474746.0000000000673000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ;;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
Source: spoolsv.exe, 0000001C.00000000.348519570.00000000027AE000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000P
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u
Source: services.exe, 00000006.00000002.607282545.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRo
Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LMEM
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: svchost.exe, 00000019.00000002.610594695.0000000004884000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}
Source: svchost.exe, 00000019.00000003.533428455.000000000378A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System Product9BUL1B92043542-3A67-1E19-BC53-0184572EE55CVMware, Inc.None
Source: spoolsv.exe, 0000001C.00000000.348519570.00000000027AE000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PRO
Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.VMware Virtual PlatformNoneVMware-42 35 04 92 67 3a 19 1e-bc 53 01 84 57 2e e5 5c
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRomb8
Source: svchost.exe, 00000019.00000002.609571037.0000000003658000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WMIBinaryMofResourceSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}
Source: services.exe, 00000006.00000002.608272793.000000000179C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRom2accfe60-c130-11d2-b082-00a0c91efb8b\\?\PCIIDE#IDEChannel#5&35c44269&0&4#{2accfe60-c130-11d2-b082-00a0c91efb8b}15ad-07e0Internal_IDE_Channel*PNP06008
Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAW3
Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0r
Source: WmiPrvSE.exe, 00000022.00000003.441760961.00000000003AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0y
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRoml8
Source: svchost.exe, 00000019.00000000.347320164.0000000003E48000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Win32_ComputerSystemuser-PCWin32_ComputerSystemuser-PCOKuser-PC\userx64-based PCNormal bootVMware, Inc.VMware Virtual Platform
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 0000001F.00000002.606706574.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&2848384c&0&1.0.0
Source: svchost.exe, 00000019.00000000.347411701.000000000482C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: svchost.exe, 00000014.00000000.343599035.000000000177E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b0pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b8acpi\pnp0a05\5aroot\ms_pppoeminiport\0000root\legacy_discache\0000pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&c0acpi\pnp0a05\23usb\vid_0e0f&pid_0003&mi_01\7&2a7d3009&0&0001pciide\idechannel\4&c5d1198&0&0acpi\pnp0a05\4&205ad762&0acpi\pnp0a05\5broot\legacy_ndproxy\0000acpi\pnp0a05\24pciide\idechannel\5&35c44269&0&5root\legacy_storflt\0000pciide\idechannel\5&35c44269&0&19root\ms_pptpminiport\0000ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25acpi\pnp0a05\40pciide\idechannel\4&c5d1198&0&1acpi\pnp0a05\5droot\legacy_tcpip\0000acpi\pnp0a05\26pciide\idechannel\5&35c44269&0&6root\ms_sstpminiport\0000pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&a9acpi\pnp0a05\41pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b1pciide\idechannel\5&35c44269&0&2pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b9pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01
Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000001F.00000002.604991513.00000000025E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000014.00000002.602992913.0000000000210000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: svchost.exe, 00000019.00000002.609571037.00000000035A1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WDMClassesOfDriverMSStorageDriver_SenseDataSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_____
Source: lsm.exe, 00000013.00000002.603598092.000000000038E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: svchost.exe, 00000019.00000002.609805884.0000000003731000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WMIBinaryMofResourceSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}ceName]me]$
Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001D.00000002.605471171.00000000020A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____\6&373888b8&0&1.0.0
Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&22b
Source: svchost.exe, 00000019.00000000.347207490.00000000036C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: naryMofResourceSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}
Source: services.exe, 00000006.00000002.607282545.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRom
Source: svchost.exe, 00000017.00000002.607596633.0000000001E2B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _vmware&prod_virtual_disk#5
Source: svchost.exe, 00000014.00000000.343599035.000000000177E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _volsnap\0000root\legacy_ksecpkg\0000pciide\idechannel\5&35c44269&0&10acpi\pnp0a05\2froot\*teredo\0000display\default_monitor\4&10c2e2d6&0&12345678&00&0facpi\pnp0a05\4aroot\legacy_peauth\0000scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000acpi\genuineintel_-_intel64_family_6_model_85_-_intel(r)_core(tm)2_cpu_6600_@_2.40_ghz\_0acpi\pnp0a05\30acpi\pnp0a05\4broot\legacy_wanarpv6\0000root\legacy_lltdio\0000root\acpi_hal\0000pciide\idechannel\5&35c44269&0&24pci\ven_15ad&dev_0740&subsys_074015ad&rev_10\3&2b8e0b4b&0&3fpciide\idechannel\5&35c44269&0&11root\legacy_psched\0000pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&acpci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b4acpi\pnp0a05\31pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&bcpci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&c4acpi\pnp0a05\4cacpi\pnp0800\4&205ad762&0root\blbdrive\0000pci\ven_8086&dev_7110&subsys_197615ad&rev_08\3&2b8e0b4b&0&38root\legacy_wdf01000\0000acpi\pnp0a05\32hdaudio\func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001\5&8a7c
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}w
Source: explorer.exe, 0000001F.00000002.606706574.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
Source: svchost.exe, 00000017.00000002.603298774.000000000037B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WmiPrvSE.exe, 00000022.00000003.441760961.00000000003AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: services.exe, 00000006.00000002.608321393.00000000017C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-1
Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk 1.0 MM*
Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000002.606686716.0000000000F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&0000000
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAWE_Channel*PNP0600
Source: svchost.exe, 00000019.00000000.347411701.0000000004720000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System Product9BUL1B92043542-3A67-1E19-BC53-0184572EE55CVMware, Inc.Noney*
Source: WmiPrvSE.exe, 00000024.00000003.509098082.000000000027C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: select * from WMIBinaryMofResource where Name = "SCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}"00A0C9062910}"
Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____\6&373888b8&0&1.0.0
Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAW
Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value)
Source: explorer.exe, 0000001F.00000002.606706574.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi\disk&ven_vmware_&prod_vmware_virtual_s\5&22be343f&0&000000
Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
Source: svchost.exe, 0000001D.00000002.605471171.00000000020A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ZDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____\6&373888b8&0&1.0.0272fb
Source: svchost.exe, 0000001D.00000002.603668650.000000000038D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Policyagent049f198-1016-11e7-b87b-806e6f6e6963}\??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\DosDevices\D:\??\Volume{8a07945e-cd11-11ea-a1d0-806e6f6e6963}c
Source: svchost.exe, 00000019.00000000.347411701.000000000482C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Win32_PnPEntityVMware Virtual disk SCSI Disk Device{4d36e967-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityDisk driveSCSI\DISK&VEN__HV5B96L&PROD_VIRTUAL_DISK\5&22BE343F&0&000000System.String[](Standard disk drives)VMware Virtual disk SCSI Disk DeviceSCSI\DISK&VEN_DN177VWB&PROD_VIRTUAL_DISK\5&22BE343F&0&000000diskOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRome8
Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAWeX
Source: C:\Windows\System32\dialer.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dialer.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mine327.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00577D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00577D90
Contains functionality to dynamically determine API calls
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64020C RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, 16_2_FF64020C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00571628 GetProcessHeap,HeapAlloc,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey, 0_2_00571628
Enables debug privileges
Source: C:\Windows\System32\dialer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_005780F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005780F8
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00577D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00577D90
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00586218 SetUnhandledExceptionFilter, 0_2_00586218
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_0057D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0057D2A4
Source: C:\Windows\explorer.exe Code function: 2_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit, 2_2_0000000140001160
Source: C:\Windows\System32\services.exe Code function: 6_2_001F80F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess, 6_2_001F80F8
Source: C:\Windows\System32\services.exe Code function: 6_2_001F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_001F7D90
Source: C:\Windows\System32\services.exe Code function: 6_2_001FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_001FD2A4
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_0248D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0248D2A4
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_024880F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess, 10_2_024880F8
Source: C:\Windows\System32\WerFault.exe Code function: 10_2_02487D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_02487D90
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_009880F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_009880F8
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_00987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00987D90
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_0098D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0098D2A4
Source: C:\Windows\System32\winlogon.exe Code function: 12_2_00996218 SetUnhandledExceptionFilter, 12_2_00996218
Source: C:\Windows\System32\sc.exe Code function: 13_2_00167D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00167D90
Source: C:\Windows\System32\sc.exe Code function: 13_2_00176218 SetUnhandledExceptionFilter, 13_2_00176218
Source: C:\Windows\System32\sc.exe Code function: 13_2_0016D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_0016D2A4
Source: C:\Windows\System32\conhost.exe Code function: 15_2_00207D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00207D90
Source: C:\Windows\System32\conhost.exe Code function: 15_2_0020D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0020D2A4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002880F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_002880F8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_00287D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00287D90
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_00296218 SetUnhandledExceptionFilter, 16_2_00296218
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_0028D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0028D2A4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_002F7D90
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_00306218 SetUnhandledExceptionFilter, 16_2_00306218
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_002FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_002FD2A4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF64A6E8 SetUnhandledExceptionFilter, 16_2_FF64A6E8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6212F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_FF6212F0
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_009C7D90
Source: C:\Windows\System32\lsass.exe Code function: 17_2_009CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_009CD2A4
Source: C:\Windows\System32\lsm.exe Code function: 19_2_00267D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00267D90
Source: C:\Windows\System32\lsm.exe Code function: 19_2_00276218 SetUnhandledExceptionFilter, 19_2_00276218
Source: C:\Windows\System32\lsm.exe Code function: 19_2_0026D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0026D2A4
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_006B7D90
Source: C:\Windows\System32\svchost.exe Code function: 20_2_006BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_006BD2A4
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_014A7D90
Source: C:\Windows\System32\svchost.exe Code function: 22_2_014AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_014AD2A4
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_00BC7D90
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00BCD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_00BCD2A4
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00A77D90
Source: C:\Windows\System32\svchost.exe Code function: 24_2_00A7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00A7D2A4
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00C67D90
Source: C:\Windows\System32\svchost.exe Code function: 25_2_00C6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00C6D2A4
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_002C7D90
Source: C:\Windows\System32\svchost.exe Code function: 26_2_002CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_002CD2A4
Source: C:\Users\user\Desktop\mine327.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: oapavmkbdsqp.exe.2.dr Jump to dropped file
Early bird code injection technique detected
Source: C:\Windows\System32\svchost.exe Process created / APC Queued / Resumed: C:\Windows\System32\WerFault.exe Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\mine327.exe Memory allocated: C:\Windows\explorer.exe base: 140000000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\services.exe base: 1C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 950000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\lsass.exe base: F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\lsm.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 680000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 13F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 180000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: FD0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\spoolsv.exe base: 1E50000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\dwm.exe base: 340000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\explorer.exe base: 2800000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\taskeng.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\UI0Detect.exe base: 1B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 540000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: 2C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\WerFault.exe base: 1D80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\sc.exe base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\conhost.exe base: 1D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: C60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1140000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1ACC0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1B4A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BE40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BEA0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BF00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BF60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BFC0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1C020000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1C080000 protect: page execute and read and write Jump to behavior
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\services.exe base: 1C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\services.exe base: 1C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\winlogon.exe base: 950000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\winlogon.exe base: 950000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\lsass.exe base: F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\lsass.exe base: F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\lsm.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\lsm.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 680000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 680000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 13F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 13F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 180000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 180000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: FD0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: FD0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\spoolsv.exe base: 1E50000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\spoolsv.exe base: 1E50000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\dwm.exe base: 340000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\dwm.exe base: 340000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\explorer.exe base: 2800000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\explorer.exe base: 2800000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\taskeng.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\taskeng.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\UI0Detect.exe base: 1B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\UI0Detect.exe base: 1B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Users\user\Desktop\mine327.exe base: 540000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Users\user\Desktop\mine327.exe base: 540000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\WerFault.exe base: 1D80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\WerFault.exe base: 1D80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\sc.exe base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\sc.exe base: 130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\conhost.exe base: 1D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory protected: C:\Windows\System32\conhost.exe base: 1D0000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dialer.exe Code function: 3_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess, 3_2_0000000140001C88
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\services.exe EIP: 1C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 95273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\conhost.exe EIP: E273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\lsass.exe EIP: F273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\lsm.exe EIP: 1B273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 68273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 13273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 13F273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 97273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 18273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: B9273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 11273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: FD273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\spoolsv.exe EIP: 1E5273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 12273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\dwm.exe EIP: 34273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\explorer.exe EIP: 280273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\taskeng.exe EIP: 97273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\UI0Detect.exe EIP: 1B8273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\wbem\WmiPrvSE.exe EIP: 1A273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 33273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\wbem\WmiPrvSE.exe EIP: 1B273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\wbem\WmiPrvSE.exe EIP: 1C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 13273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 54273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\conhost.exe EIP: 2C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 12273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\WerFault.exe EIP: 1D8273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\sc.exe EIP: 13273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\conhost.exe EIP: 1D273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: C6273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 1ACC273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 1BF6273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 1BFC273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 1C02273C Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\System32\dialer.exe NtQueryInformationProcess: Direct from: 0x1400018E6 Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe NtResumeThread: Indirect: 0x28231E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtQueryInformationProcess: Direct from: 0x140001176 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x98171F Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x981795 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtProtectVirtualMemory: Direct from: 0x984E3C Jump to behavior
Source: C:\Windows\System32\dialer.exe NtCreateThreadEx: Direct from: 0x14000145B Jump to behavior
Source: C:\Windows\System32\services.exe NtNotifyChangeKey: Direct from: 0x1F3862 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtMapViewOfSection: Direct from: 0x14000202B Jump to behavior
Source: C:\Windows\System32\lsass.exe NtSetTimer: Direct from: 0x772FA561 Jump to behavior
Source: C:\Windows\System32\services.exe NtQueryInformationProcess: Direct from: 0x1F196E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtQuerySystemInformation: Direct from: 0x14000155D Jump to behavior
Source: C:\Windows\System32\services.exe NtQueryVolumeInformationFile: Direct from: 0x1F241C Jump to behavior
Source: C:\Windows\System32\dialer.exe NtRequestWaitReplyPort: Direct from: 0x1400024AA Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtMapViewOfSection: Direct from: 0x989E4F Jump to behavior
Source: C:\Windows\System32\services.exe NtSetInformationProcess: Direct from: 0x1F1A66 Jump to behavior
Source: C:\Windows\System32\services.exe NtReadFile: Direct from: 0x1F2309 Jump to behavior
Source: C:\Windows\System32\sc.exe NtEnumerateValueKey: Indirect: 0x16293D Jump to behavior
Source: C:\Windows\System32\lsass.exe NtClose: Direct from: 0x9C173A
Source: C:\Windows\System32\lsass.exe NtMapViewOfSection: Direct from: 0xF2861 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtProtectVirtualMemory: Direct from: 0x1400020B4 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtDelayExecution: Direct from: 0x981ADD Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe NtEnumerateValueKey: Indirect: 0x28293D Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenSection: Direct from: 0x98F43A Jump to behavior
Source: C:\Windows\System32\WerFault.exe NtQuerySystemInformation: Indirect: 0x248205D Jump to behavior
Source: C:\Windows\System32\services.exe NtClose: Direct from: 0x1F173A
Source: C:\Windows\System32\dialer.exe NtClose: Direct from: 0x140002321
Source: C:\Windows\System32\dialer.exe NtCreateKey: Direct from: 0x140002444 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtEnumerateValueKey: Direct from: 0x98290E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtFsControlFile: Direct from: 0x140002208 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtProtectVirtualMemory: Direct from: 0x983830 Jump to behavior
Source: C:\Windows\System32\services.exe NtQueryDirectoryFile: Direct from: 0x1F23AE Jump to behavior
Source: C:\Windows\System32\dialer.exe NtCreateKey: Direct from: 0x1400023C4 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtReadVirtualMemory: Direct from: 0x1400015B0 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtProtectVirtualMemory: Direct from: 0x1400020E4 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtReadVirtualMemory: Direct from: 0x140001FAE Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x9816E5 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtQueryInformationProcess: Direct from: 0x14000121C Jump to behavior
Source: C:\Windows\System32\services.exe NtResumeThread: Direct from: 0x1F231E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtAdjustPrivilegesToken: Direct from: 0x14000230E Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x98180B Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtClose: Direct from: 0x9818A6
Source: C:\Windows\System32\winlogon.exe NtRequestWaitReplyPort: Direct from: 0x983311 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtProtectVirtualMemory: Direct from: 0x985E6C Jump to behavior
Source: C:\Windows\System32\dialer.exe NtClose: Direct from: 0x140001901
Source: C:\Windows\System32\dialer.exe NtClose: Direct from: 0x140001623
Source: C:\Windows\System32\sc.exe NtResumeThread: Indirect: 0x16231E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtFsControlFile: Direct from: 0x140002C97 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtAllocateVirtualMemory: Direct from: 0x14000192A Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x98175A Jump to behavior
Source: C:\Windows\System32\dialer.exe NtCreateFile: Direct from: 0x140001FDE Jump to behavior
Source: C:\Windows\System32\dialer.exe NtCreateNamedPipeFile: Direct from: 0x140001C6D Jump to behavior
Source: C:\Windows\System32\WerFault.exe NtResumeThread: Indirect: 0x248231E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtQuerySystemInformation: Direct from: 0x140002B9F Jump to behavior
Source: C:\Windows\System32\sc.exe NtDeviceIoControlFile: Indirect: 0x162B9D Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x981881 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtAllocateVirtualMemory: Direct from: 0x140001657 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtAllocateVirtualMemory: Direct from: 0x140001414 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtClose: Direct from: 0x1400014B1
Source: C:\Windows\System32\lsass.exe NtQuerySystemInformation: Direct from: 0x9C205D Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe NtEnumerateValueKey: Indirect: 0x28290E Jump to behavior
Source: C:\Windows\System32\lsass.exe NtResumeThread: Direct from: 0x9C3311 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtRequestWaitReplyPort: Direct from: 0x1400024EE Jump to behavior
Source: C:\Windows\System32\dialer.exe NtAllocateVirtualMemory: Direct from: 0x140002335 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtAllocateVirtualMemory: Direct from: 0x772FA36E Jump to behavior
Source: C:\Windows\System32\services.exe NtRequestWaitReplyPort: Direct from: 0x1F3311 Jump to behavior
Source: C:\Windows\System32\WerFault.exe NtQueryDirectoryFile: Indirect: 0x24823AE Jump to behavior
Source: C:\Windows\System32\dialer.exe NtFsControlFile: Direct from: 0x140002C30 Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe NtDeviceIoControlFile: Indirect: 0x282B9D Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtProtectVirtualMemory: Direct from: 0x9837F4 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x9817D0 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtRequestWaitReplyPort: Direct from: 0x140002081 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtClose: Direct from: 0x98173A
Source: C:\Windows\System32\winlogon.exe NtProtectVirtualMemory: Direct from: 0x98565F Jump to behavior
Source: C:\Windows\System32\dialer.exe NtReadVirtualMemory: Direct from: 0x1400015E7 Jump to behavior
Source: C:\Windows\System32\services.exe NtOpenSection: Direct from: 0x1FF43A Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x9816B8 Jump to behavior
Source: C:\Windows\System32\services.exe NtCreateFile: Direct from: 0x1F22C2 Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe NtQuerySystemInformation: Indirect: 0x28205D Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtAllocateVirtualMemory: Direct from: 0x983AA5 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtProtectVirtualMemory: Direct from: 0x140001437 Jump to behavior
Source: C:\Windows\System32\lsass.exe NtDelayExecution: Direct from: 0x9C1ADD Jump to behavior
Source: C:\Windows\System32\lsass.exe NtOpenSection: Direct from: 0x9CF43A Jump to behavior
Source: C:\Windows\System32\dialer.exe NtSetSecurityObject: Direct from: 0x140002404 Jump to behavior
Source: C:\Windows\System32\services.exe NtMapViewOfSection: Direct from: 0x1C2861 Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtProtectVirtualMemory: Direct from: 0x952861 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtRequestWaitReplyPort: Direct from: 0x14000250F Jump to behavior
Source: C:\Windows\System32\services.exe NtMapViewOfSection: Direct from: 0x1F9E4F Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtEnumerateValueKey: Direct from: 0x98293D Jump to behavior
Source: C:\Windows\System32\winlogon.exe NtAllocateVirtualMemory: Direct from: 0x9527DD Jump to behavior
Source: C:\Windows\System32\lsass.exe NtMapViewOfSection: Direct from: 0x9C9E4F Jump to behavior
Source: C:\Windows\System32\services.exe NtDelayExecution: Direct from: 0x1F1ADD Jump to behavior
Source: C:\Windows\System32\dialer.exe NtSetValueKey: Direct from: 0x140002475 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtProtectVirtualMemory: Direct from: 0x140001BF1 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtDeviceIoControlFile: Direct from: 0x1400023EB Jump to behavior
Source: C:\Windows\System32\sc.exe NtEnumerateValueKey: Indirect: 0x16290E Jump to behavior
Source: C:\Windows\System32\dialer.exe NtDelayExecution: Direct from: 0x140002517 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtClose: Direct from: 0x14000247F
Source: C:\Windows\System32\winlogon.exe NtOpenKeyEx: Direct from: 0x981846 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtReadFile: Direct from: 0x140002C53 Jump to behavior
Source: C:\Windows\System32\dialer.exe NtQuerySystemInformation: Direct from: 0x1400022D6 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\services.exe base: 1C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\winlogon.exe base: 950000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\lsass.exe base: F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\lsm.exe base: 1B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 680000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 130000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 13F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 970000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 180000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: B90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 110000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: FD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1E50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 120000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dwm.exe base: 340000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\explorer.exe base: 2800000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\taskeng.exe base: 970000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\UI0Detect.exe base: 1B80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 330000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 540000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: 2C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 120000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\WerFault.exe base: 1D80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\sc.exe base: 130000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\conhost.exe base: 1D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: C60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1140000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1ACC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1B4A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BE40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BEA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BFC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1C020000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1C080000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 140000000 value: 4D Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 140001000 value: 56 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 140008000 value: 28 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 14000A000 value: 00 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 1402BD000 value: 00 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 1402BE000 value: 80 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 1402BF000 value: 00 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 1402C0000 value: 00 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: PID: 2996 base: 7FFFFFDB010 value: 00 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: PID: 1244 base: 2800000 value: 4D Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\mine327.exe Thread register set: target process: 2996 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 2096 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\services.exe Thread APC queued: target process: C:\Windows\System32\WerFault.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 140000000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 140001000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 140008000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 14000A000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 1402BD000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 1402BE000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 1402BF000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 1402C0000 Jump to behavior
Source: C:\Users\user\Desktop\mine327.exe Memory written: C:\Windows\explorer.exe base: 7FFFFFDB010 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\services.exe base: 1C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\winlogon.exe base: 950000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\lsass.exe base: F0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\lsm.exe base: 1B0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 680000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 130000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 13F0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 970000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 180000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: B90000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 110000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: FD0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1E50000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 120000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dwm.exe base: 340000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\explorer.exe base: 2800000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\taskeng.exe base: 970000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\UI0Detect.exe base: 1B80000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 330000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 540000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: 2C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 120000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\WerFault.exe base: 1D80000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\sc.exe base: 130000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\conhost.exe base: 1D0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: C60000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1140000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1ACC0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1B4A0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BE40000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BEA0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF00000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF60000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1BFC0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1C020000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Users\user\Desktop\mine327.exe base: 1C080000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mine327.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Windows\System32\services.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup Jump to behavior
Source: C:\Windows\System32\services.exe Process created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1436 -s 724 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\dialer.exe Code function: 3_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 3_2_0000000140001B54
Source: C:\Windows\System32\dialer.exe Code function: 3_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 3_2_0000000140001B54
Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman-
Source: winlogon.exe, 0000000C.00000000.342557683.0000000001570000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000C.00000002.607268412.0000000001570000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001E.00000002.603257969.0000000000600000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 0000000C.00000000.342557683.0000000001570000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000C.00000002.607268412.0000000001570000.00000002.00000001.00040000.00000000.sdmp, oapavmkbdsqp.exe, dwm.exe, 0000001E.00000002.603257969.0000000000600000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000003.341979658.0000000000430000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000010.00000000.342456608.00000000FF6DA000.00000002.00000001.01000000.00000007.sdmp, oapavmkbdsqp.exe, 00000010.00000002.410015355.00000000FF6DA000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: Shell_TrayWndSettingsStuckRects2Logoff UserRestartTimerEnable Balloon TipShowOnlyQuickLaunchDeskBandDropDescriptionTrayClockWClass
Source: oapavmkbdsqp.exe Binary or memory string: Progman
Source: winlogon.exe, 0000000C.00000000.342557683.0000000001570000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000C.00000002.607268412.0000000001570000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001E.00000002.603257969.0000000000600000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000002.00000003.341979658.0000000000430000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000010.00000000.342456608.00000000FF6DA000.00000002.00000001.01000000.00000007.sdmp, oapavmkbdsqp.exe, 00000010.00000002.410015355.00000000FF6DA000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: ProgmanProxy DesktopHIMAGELIST_QueryInterfaceRtlDllShutdownInProgressntdll.dll9V
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_005536F0 cpuid 0_2_005536F0
Contains functionality to query locales information (e.g. system language)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: GetWindowLongW,GetSystemMetrics,SetRect,GetWindowLongW,GetWindowLongW,AdjustWindowRectEx,GetThemeBackgroundExtent,GetLocaleInfoW,GetLocaleInfoW, 16_2_FF630870
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: GetLocaleInfoW, 16_2_FF64A0B0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mine327.exe Queries volume information: C:\Users\user\Desktop\mine327.exe VolumeInformation Jump to behavior
Queries time zone information
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias Jump to behavior
Source: C:\Windows\System32\dialer.exe Code function: 3_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 3_2_0000000140001B54
Source: C:\Users\user\Desktop\mine327.exe Code function: 0_2_00577960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00577960
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6387AC GetThemeBool,GetUserNameExW,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipGetImageHeight,GdipGetImageWidth,DeleteObject,#2,#241,SetWindowTextW,GdipGetImageWidth,GdipGetImageHeight,MulDiv,GdipGetImageHeight,GdipGetImageWidth,MulDiv,#484, 16_2_FF6387AC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF649DB0 memset,GetDynamicTimeZoneInformation,EnterCriticalSection,memcmp,memset,RegCloseKey,memcpy,LeaveCriticalSection,GetTimeZoneInformation,GetLastError, 16_2_FF649DB0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A9E9C CoCreateInstance,memset,GetVersionExW,GetProductInfo,#155,RegOpenKeyExW,#439,#460,#190,#16,SHCreateDataObject,#155,#155,RegCloseKey, 16_2_FF6A9E9C
Source: C:\Users\user\Desktop\mine327.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000016.00000002.602523824.00000000000F4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.344499993.00000000000F4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.347411701.0000000004720000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MSASCui.exe
Source: svchost.exe, 00000019.00000000.347411701.0000000004720000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: efender\MSASCui.exe
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF634EF4 SHBindToParent, 16_2_FF634EF4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B9EF0 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree, 16_2_FF6B9EF0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF642ED0 SHBindToParent, 16_2_FF642ED0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A8D58 SHBindToParent,#460,SHStrDupW, 16_2_FF6A8D58
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63FDA0 SHBindToParent, 16_2_FF63FDA0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF69AD98 SetForegroundWindow,SHBindToObject,#279,SHGetPathFromIDListW,#388, 16_2_FF69AD98
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B6CD8 #21,SHBindToObject,#155,SHBindToObject,SHGetIDListFromObject,#484,#155,#155,#155, 16_2_FF6B6CD8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B9B64 RpcBindingFree,CloseHandle,CloseHandle,NdrClientCall3,LocalFree, 16_2_FF6B9B64
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6B6B20 #21,SHBindToObject,#155,SHBindToObject,SHGetIDListFromObject,#155,#155,#155, 16_2_FF6B6B20
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6AFBDC SHBindToParent, 16_2_FF6AFBDC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF665A40 SHBindToParent,#571,DestroyWindow, 16_2_FF665A40
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62F9CC SHBindToFolderIDListParent, 16_2_FF62F9CC
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF62A8E8 SHBindToFolderIDListParent,#787,SHStrDupW,PathParseIconLocationW,Shell_GetCachedImageIndexW,CoTaskMemFree,memset,PathIsNetworkPathW,AssocQueryKeyW,Shell_GetCachedImageIndexW,SHGetValueW,RegCloseKey,PathParseIconLocationW,Shell_GetCachedImageIndexW, 16_2_FF62A8E8
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF65F750 SetForegroundWindow,#89,SHBindToParent,CreatePopupMenu,LoadStringW,AppendMenuW,LoadStringW,AppendMenuW,TrackPopupMenu,DestroyMenu,#155,#100,SHGetFolderPathW,AppendMenuW,LoadStringW,AppendMenuW,#158,memset,SHGetPathFromIDListA,SHGetPathFromIDListW,SHGetKnownFolderIDList, 16_2_FF65F750
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF634720 SHBindToParent,DestroyIcon,SHParseDisplayName,SHBindToParent,DestroyIcon,#155, 16_2_FF634720
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF63F798 #89,SHBindToObject,CoTaskMemFree,#155, 16_2_FF63F798
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6506F4 SHBindToParent, 16_2_FF6506F4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF66941C GetClientRect,SHGetKnownFolderIDList,SHBindToParent,SendMessageCallbackW,#155,CoTaskMemFree,DestroyIcon, 16_2_FF66941C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF67437C SHGetIDListFromObject,#16,#17,#155,SHBindToParent,#199, 16_2_FF67437C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF635320 SHGetKnownFolderIDList,SHBindToParent,CoCreateInstance,#487,StrCmpW,CoTaskMemFree,PathParseIconLocationW,#460,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,SendMessageCallbackW,#155,CoTaskMemFree,DestroyIcon, 16_2_FF635320
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6BC3E0 #278,CoCreateInstance,SendMessageW,SHBindToParent,SendMessageW,#571,SendMessageW,DestroyWindow, 16_2_FF6BC3E0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6D73F4 SHBindToObject,#155, 16_2_FF6D73F4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF672398 memset,StringFromGUID2,#155,SHBindToObject, 16_2_FF672398
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6D7270 #25,#155,SHBindToObject,#18, 16_2_FF6D7270
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6A9110 SHGetKnownFolderIDList,SHBindToObject,#25,#155,#155,SHGetKnownFolderIDList,#155, 16_2_FF6A9110
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF6741F0 #155,#155,SHBindToObject, 16_2_FF6741F0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe Code function: 16_2_FF674000 SHGetIDListFromObject,SHBindToObject,CoTaskMemFree,CoTaskMemFree,SHCreateItemFromIDList,CoTaskMemFree, 16_2_FF674000
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417451 Sample: mine327.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected UAC Bypass using CMSTP 2->53 55 3 other signatures 2->55 10 mine327.exe 1 7 2->10         started        13 explorer.exe 2->13         started        15 conhost.exe 2->15         started        process3 signatures4 79 Injects code into the Windows Explorer (explorer.exe) 10->79 81 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->81 83 Writes to foreign memory regions 10->83 85 3 other signatures 10->85 17 explorer.exe 2 10->17         started        process5 file6 47 C:\ProgramData\...\oapavmkbdsqp.exe, PE32+ 17->47 dropped 57 Benign windows process drops PE files 17->57 59 Modifies the context of a thread in another process (thread injection) 17->59 21 dialer.exe 1 17->21         started        24 sc.exe 17->24         started        26 sc.exe 17->26         started        28 2 other processes 17->28 signatures7 process8 signatures9 61 Changes memory attributes in foreign processes to executable or writable 21->61 63 Injects code into the Windows Explorer (explorer.exe) 21->63 65 Contains functionality to inject code into remote processes 21->65 69 5 other signatures 21->69 30 services.exe 5 21->30 injected 33 lsass.exe 21->33 injected 35 winlogon.exe 21->35 injected 37 20 other processes 21->37 67 Found direct / indirect Syscall (likely to bypass EDR) 24->67 process10 signatures11 89 Queues an APC in another process (thread injection) 30->89 91 Found direct / indirect Syscall (likely to bypass EDR) 30->91 39 oapavmkbdsqp.exe 1 2 30->39         started        42 svchost.exe 30->42         started        93 Writes to foreign memory regions 33->93 process12 signatures13 71 Detected unpacking (creates a PE file in dynamic memory) 39->71 73 Creates files in the system32 config directory 39->73 75 Found direct / indirect Syscall (likely to bypass EDR) 39->75 77 Early bird code injection technique detected 42->77 44 WerFault.exe 7 4 42->44         started        process14 signatures15 87 Found direct / indirect Syscall (likely to bypass EDR) 44->87
No contacted IP infos