Windows Analysis Report
C.png

Overview

General Information

Sample Name: C.png (renamed file extension from png to dll)
Analysis ID: 651257
MD5: 8b81e6a7702f58b93fdc2b57ab401ffb
SHA1: 2990b8adc8891564c404190bedab55df5027da32
SHA256: 500f85201bcfc0ae49204bd31ed4f055cac1b0b7f8e74339907f5c14b8e711a8
Tags: dll
Infos:

Detection

CryptOne, Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Yara detected CryptOne packer
Sigma detected: Schedule system process
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Allocates memory in foreign processes
Creates files in the system32 config directory
Injects code into the Windows Explorer (explorer.exe)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
PE file overlay found
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: C.dll Joe Sandbox ML: detected
Source: 4.0.explorer.exe.3230000.0.unpack Malware Configuration Extractor: Qbot {"Bot id": "AA", "Campaign": "1655971687", "Version": "403.780", "C2 list": ["38.70.253.226:2222", "47.23.89.60:993", "120.150.218.241:995", "117.248.109.38:21", "37.34.253.233:443", "86.132.14.70:2078", "111.125.245.116:995", "217.165.85.191:993", "176.45.232.204:995", "5.32.41.45:443", "93.48.80.198:995", "100.38.242.113:995", "94.59.252.166:2222", "74.14.5.179:2222", "71.13.93.154:2222", "193.253.44.249:2222", "108.60.213.141:443", "45.241.231.78:993", "217.128.122.65:2222", "40.134.246.185:995", "1.161.124.241:443", "70.46.220.114:443", "24.43.99.75:443", "32.221.224.140:995", "80.11.74.81:2222", "31.215.184.140:2222", "39.49.85.29:995", "67.209.195.198:443", "186.90.153.162:2222", "148.64.96.100:443", "67.165.206.193:993", "210.246.4.69:995", "208.107.221.224:443", "89.101.97.139:443", "88.234.116.71:443", "121.7.223.45:2222", "104.34.212.7:32103", "69.14.172.24:443", "41.228.22.180:443", "197.87.182.60:443", "24.178.196.158:2222", "1.161.124.241:995", "189.78.107.163:32101", "39.52.74.55:995", "2.34.12.8:443", "182.191.92.203:995", "173.21.10.71:2222", "39.41.2.45:995", "90.114.10.16:2222", "184.97.29.26:443", "76.25.142.196:443", "47.156.129.52:443", "24.55.67.176:443", "190.252.242.69:443", "70.51.132.161:2222", "72.252.157.93:995", "90.120.209.197:2078", "72.252.157.93:993", "72.252.157.93:990", "177.45.64.254:32101", "24.139.72.117:443", "187.250.202.2:443", "94.36.193.176:2222", "109.12.111.14:443", "89.86.33.217:443", "179.158.105.44:443", "63.143.92.99:995", "45.46.53.140:2222", "31.215.67.68:2222", "188.136.218.225:61202", "187.208.115.219:443", "31.215.184.140:1194", "39.57.60.246:995", "24.122.142.181:443", "84.241.8.23:32103", "191.250.120.152:443", "202.134.152.2:2222", "91.177.173.10:995", "148.0.43.48:443", "172.115.177.204:2222", "81.193.30.90:443", "68.204.15.28:443", "197.94.94.206:443", "87.109.229.215:995", "102.182.232.3:995", "196.203.37.215:80", "81.250.191.49:2222", "83.110.94.105:443", "201.176.6.24:995", "173.174.216.62:443", "31.215.70.37:443", "175.145.235.37:443", "174.69.215.101:443", "187.172.164.12:443", "201.172.23.68:2222", "41.84.249.56:995", "191.34.121.84:443", "113.53.152.11:443", "86.195.158.178:2222", "109.228.220.196:443", "82.41.63.217:443", "82.152.39.39:443", "106.51.48.188:50001", "103.246.242.202:443", "41.38.167.179:995", "98.50.191.202:443", "185.56.243.146:443", "191.112.28.64:443", "39.44.30.209:995", "47.157.227.70:443", "187.251.132.144:22", "31.35.28.29:443", "148.252.133.168:443", "42.103.132.91:2222", "180.129.108.214:995", "138.186.28.253:443", "89.137.52.44:443", "120.61.2.218:443", "122.118.129.227:995", "124.109.35.171:995", "75.99.168.194:61201", "103.91.182.114:2222", "37.210.156.247:2222", "58.105.167.36:50000", "187.207.131.50:61202", "76.70.9.169:2222", "187.211.80.39:443", "176.67.56.94:443", "103.116.178.85:995", "143.0.219.6:995", "79.80.80.29:2222"]}
Source: C.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.324038860.0000000005034000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.394565875.0000000003F4F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.324038860.0000000005034000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.394565875.0000000003F4F000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B15A3C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00B15A3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B18F90 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00B18F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009D5A3C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 2_2_009D5A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009D8F90 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 2_2_009D8F90
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: http://ocsp.sectigo.com0#
Source: loaddll32.exe, rundll32.exe String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: loaddll32.exe, 00000000.00000002.289505180.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.323140727.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000018.00000002.393512133.0000000000401000.00000020.00000001.01000000.00000003.sdmp, C.dll String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: loaddll32.exe, rundll32.exe String found in binary or memory: http://www.borland.com/namespaces/Types
Source: regsvr32.exe, 00000018.00000002.393875981.00000000035D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAP
Source: loaddll32.exe, 00000000.00000002.289505180.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.323140727.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000018.00000002.393512133.0000000000401000.00000020.00000001.01000000.00000003.sdmp, C.dll String found in binary or memory: http://www.borland.com/namespaces/Typeslhttp://www.borland.com/namespaces/Types-IAppServerSOAP
Source: explorer.exe, 00000004.00000003.325177471.0000000005378000.00000004.00000800.00020000.00000000.sdmp, C.dll String found in binary or memory: https://sectigo.com/CPS0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009F6EBC GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 2_2_009F6EBC
Source: C.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 752
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_et0gmkgs.0m3.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00B16D1C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 009D6D1C appears 48 times
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3CFCC NtdllDefWindowProc_A, 0_2_00B3CFCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009FCFCC NtdllDefWindowProc_A, 2_2_009FCFCC
Source: C.dll.4.dr Static PE information: No import functions for PE file found
Source: C.dll Binary or memory string: OriginalFilenameDupefinder.exe> vs C.dll
Source: C.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\System32\loaddll32.exe Section loaded: ggr.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: jr3.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ggr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: jr3.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\C.dll 73CBBE5DA2FCE01B57CAA2A39EA01DB26B84DD62631409CF4B3FCFDC4A09A2F7
Source: C.dll.4.dr Static PE information: Data appended to the last section found
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\C.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\C.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\C.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 752
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:57 /tn qsrshyj /ET 18:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=" /SC ONCE
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\Desktop\C.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\Desktop\C.dll
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\C.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\C.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:57 /tn qsrshyj /ET 18:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=" /SC ONCE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\Desktop\C.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\Desktop\C.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Iaeeomkaq Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC572.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@28/12@0/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B19114 GetDiskFreeSpaceA, 0_2_00B19114
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B353DC GetLastError,FormatMessageA, 0_2_00B353DC
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\C.dll",#1
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{A644AA43-420A-4699-971E-B9FC952EE63F}
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6540:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{B392BFCE-678F-45E7-AC07-60731D963391}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{F4935CEA-067E-4885-957C-2F62BD7516DF}
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7032:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{B392BFCE-678F-45E7-AC07-60731D963391}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{A644AA43-420A-4699-971E-B9FC952EE63F}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5620
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{F4935CEA-067E-4885-957C-2F62BD7516DF}
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6124:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2B20C FindResourceA, 0_2_00B2B20C
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C.dll Static file information: File size 1112443 > 1048576
Source: Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.324038860.0000000005034000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.394565875.0000000003F4F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.324038860.0000000005034000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.394565875.0000000003F4F000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BDB88C push 00BDB8FBh; ret 0_2_00BDB8F3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1E0B4 push 00B1E230h; ret 0_2_00B1E228
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B398B4 push 00B39984h; ret 0_2_00B3997C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B270A0 push 00B27148h; ret 0_2_00B27140
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B41888 push 00B418B4h; ret 0_2_00B418AC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3F8F8 push 00B3F924h; ret 0_2_00B3F91C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B16838 push 00B16864h; ret 0_2_00B1685C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B27028 push 00B2709Eh; ret 0_2_00B27096
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2A818 push ecx; mov dword ptr [esp], edx 0_2_00B2A81D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3D854 push 00B3D880h; ret 0_2_00B3D878
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2A85C push ecx; mov dword ptr [esp], edx 0_2_00B2A861
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3A1CC push 00B3A1F8h; ret 0_2_00B3A1F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1E2B4 push 00B1E2E0h; ret 0_2_00B1E2D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B17AD0 push 00B17AFCh; ret 0_2_00B17AF4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1EAD0 push 00B1EAFCh; ret 0_2_00B1EAF4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1E234 push 00B1E2A3h; ret 0_2_00B1E29B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3BA28 push 00B3BA54h; ret 0_2_00B3BA4C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3A21C push 00B3A248h; ret 0_2_00B3A240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B28A0C push 00B28A59h; ret 0_2_00B28A51
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B27244 push 00B27270h; ret 0_2_00B27268
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3BBD4 push 00B3BC00h; ret 0_2_00B3BBF8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B16B00 push 00B16B2Ch; ret 0_2_00B16B24
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B28B44 push 00B28B70h; ret 0_2_00B28B68
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B274B0 push ecx; mov dword ptr [esp], ecx 0_2_00B274B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3D48C push 00B3D4B8h; ret 0_2_00B3D4B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B274D0 push ecx; mov dword ptr [esp], ecx 0_2_00B274D3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2A4D4 push ecx; mov dword ptr [esp], edx 0_2_00B2A4D9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3A4D4 push 00B3A500h; ret 0_2_00B3A4F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B324DC push 00B3256Ch; ret 0_2_00B32564
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3D4C4 push 00B3D4FCh; ret 0_2_00B3D4F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3242C push 00B324D7h; ret 0_2_00B324CF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3BDCC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B3BDCC
Source: C.dll.4.dr Static PE information: real checksum: 0x109ebe should be: 0xa0a4
Source: C.dll Static PE information: real checksum: 0x109ebe should be: 0x110071
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Desktop\C.dll Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:57 /tn qsrshyj /ET 18:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=" /SC ONCE

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 812 base: 38F380 value: E9 63 6E EA 02 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6812 base: 38F380 value: E9 63 6E C2 02 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B39C84 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00B39C84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00A212A4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 2_2_00A212A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009F9C84 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_009F9C84
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3BDCC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B3BDCC
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXEH
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766189810.0000000003E05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXEQ
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXEP
Source: explorer.exe, 00000019.00000002.766189810.0000000003E05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEM
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE{
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEZ
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXEM
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEW
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXEC
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEW
Source: explorer.exe, 00000019.00000002.766189810.0000000003E05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE|
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXEE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXEW
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE|
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766189810.0000000003E05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEP
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXEY
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXEV
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXEW
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXEN
Source: explorer.exe, 00000019.00000002.766163463.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXEW
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXEV
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: explorer.exe, 00000019.00000003.395367126.0000000003DFF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.766149295.0000000003D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B4047C 0_2_00B4047C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00A0047C 2_2_00A0047C
Source: C:\Windows\SysWOW64\explorer.exe TID: 6488 Thread sleep time: -129000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6620 Thread sleep count: 1747 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6620 Thread sleep count: 2015 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6808 Thread sleep count: 109 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7024 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7024 Thread sleep time: -105000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 916 Thread sleep count: 1529 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840 Thread sleep count: 266 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 829 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1747 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2015 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1529 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.1 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.7 %
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B4047C 0_2_00B4047C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00A0047C 2_2_00A0047C
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3596C GetSystemInfo, 0_2_00B3596C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B15A3C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00B15A3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B18F90 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00B18F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009D5A3C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 2_2_009D5A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_009D8F90 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 2_2_009D8F90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3BDCC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B3BDCC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory protected: page write copy | page execute and write copy | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 3260000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 38F380 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2FE0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 38F380 Jump to behavior
Source: unknown Process created: Base64 decoded regsvr32.exe "C:\Users\jones\Desktop\C.dll"
Source: unknown Process created: Base64 decoded regsvr32.exe "C:\Users\jones\Desktop\C.dll"
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 3260000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2FE0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 812 base: 3260000 value: 9C Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 812 base: 38F380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6812 base: 2FE0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6812 base: 38F380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:57 /tn qsrshyj /ET 18:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=" /SC ONCE
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:57 /tn qsrshyj /ET 18:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=" /SC ONCE Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\C.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00B15BF4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetACP, 0_2_00B1D024
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_00B1BA08
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_00B1BA54
Source: C:\Windows\System32\loaddll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00B15D00
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_00B16508
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 2_2_009D5BF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 2_2_009DD024
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 2_2_009DBA08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 2_2_009DBA54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 2_2_009D6508
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 2_2_009D5D00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1A4C0 GetLocalTime, 0_2_00B1A4C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1C9CC GetVersionExA, 0_2_00B1C9CC
Source: loaddll32.exe, 00000000.00000003.276518369.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.277505237.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: loaddll32.exe, 00000000.00000003.276518369.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.277505237.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: loaddll32.exe, 00000000.00000003.276518369.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.277505237.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SavService.exe
Source: loaddll32.exe, 00000000.00000003.276518369.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.277505237.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dwengine.exe
Source: loaddll32.exe, 00000000.00000003.276518369.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.277505237.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SAVAdminService.exe
Source: loaddll32.exe, 00000000.00000003.276518369.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000000.281761673.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.277505237.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 4.2.explorer.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3af0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2750184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3b10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3ac0184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.1070184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.explorer.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2750184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.explorer.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2780000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.27a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.explorer.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3b10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.explorer.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3ac0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.explorer.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2780000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.1070184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.323381928.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393963522.0000000003B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.765579370.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281557672.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290253396.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283835804.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.765540679.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.323413560.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393925531.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283947623.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.390120530.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288483062.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281698290.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290425745.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281670705.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.323357187.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393905257.0000000003AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283887210.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290335602.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281557672.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290253396.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283835804.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.323357187.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393905257.0000000003AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 4.2.explorer.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3af0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2750184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3b10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3ac0184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.1070184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.explorer.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2750184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.explorer.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2780000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.27a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.explorer.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.1070184.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3b10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.explorer.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.regsvr32.exe.3ac0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.explorer.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2780000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.1070184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.10c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.323381928.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393963522.0000000003B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.765579370.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281557672.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290253396.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283835804.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.765540679.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.323413560.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393925531.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283947623.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.390120530.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288483062.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281698290.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290425745.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281670705.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.323357187.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393905257.0000000003AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283887210.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290335602.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.281557672.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290253396.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283835804.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.323357187.0000000001070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.393905257.0000000003AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs